Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 10:59

General

  • Target

    0eb49170e762d1d8745681e2157d8215.exe

  • Size

    33KB

  • MD5

    0eb49170e762d1d8745681e2157d8215

  • SHA1

    0244d2f6e18bc6124f3a4153acb871c818a4db8b

  • SHA256

    6a57368ea33eb414da5c2bdd0e3a12c8d47575c44ba13a966bea162d4796b0c9

  • SHA512

    99ae0b41a752b6d15dd54bd9cefdca514e9b1a194014f798902242c8186c9f4edb849a35bdc36171c63e8fe057b5d603c264d192707d2afe3603ad230facad4d

  • SSDEEP

    768:VvTSwH0f6lx8gcRfufYHGulkR23t+UG78iK1KB/9dZ:tSwH0fM8jS3R29nG4TgBF

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0eb49170e762d1d8745681e2157d8215.exe
    "C:\Users\Admin\AppData\Local\Temp\0eb49170e762d1d8745681e2157d8215.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\patsh
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patsh"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\patsh
    Filesize

    33KB

    MD5

    0eb49170e762d1d8745681e2157d8215

    SHA1

    0244d2f6e18bc6124f3a4153acb871c818a4db8b

    SHA256

    6a57368ea33eb414da5c2bdd0e3a12c8d47575c44ba13a966bea162d4796b0c9

    SHA512

    99ae0b41a752b6d15dd54bd9cefdca514e9b1a194014f798902242c8186c9f4edb849a35bdc36171c63e8fe057b5d603c264d192707d2afe3603ad230facad4d

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    befb7adb41c088bdf18c6533c0c33a68

    SHA1

    7de7bb005da507ab07c641d94509cb9c38fecfd7

    SHA256

    f1584f3566876177f922e384e57190c4e8be24b497aa60bf16b986d8ccf0cdcd

    SHA512

    182471f95a80913c83e4bf76d5d7a0d6d6a6abdbe26b980cca9c9c0b2f11160bc60209af73d7031503cfb65ad916f9a34aff5040b8062c0a17af4b85d7360689

  • memory/2000-0-0x0000000000170000-0x0000000000186000-memory.dmp
    Filesize

    88KB

  • memory/2000-1-0x000007FEF6150000-0x000007FEF6AED000-memory.dmp
    Filesize

    9.6MB

  • memory/2000-2-0x0000000000B60000-0x0000000000BE0000-memory.dmp
    Filesize

    512KB

  • memory/2000-3-0x000007FEF6150000-0x000007FEF6AED000-memory.dmp
    Filesize

    9.6MB

  • memory/2000-6-0x000007FEF6150000-0x000007FEF6AED000-memory.dmp
    Filesize

    9.6MB