Overview

overview

10

Static

static

3

53ff7f3253...34.exe

windows7-x64

10

53ff7f3253...34.exe

windows10-2004-x64

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53ff7f325392759ad23ecff401bf6534.exe

  • Size

    307KB

  • MD5

    53ff7f325392759ad23ecff401bf6534

  • SHA1

    c3dd5b7fde858765da3c5412fad797e3e1a0c9aa

  • SHA256

    eea22615ac37aca1c2258c1283f397a6de1f24967bc9ccf649d81ccd1fd04a19

  • SHA512

    629503978bb475470c61c94fc509701fa58ec268be0c4bb65696b9d93bc4b53cf29b07d8de039c69e70958639176f5258e5be1f1875b07daa2e714735ecb8ca6

  • SSDEEP

    6144:0jbei1kGc+HGcPCaTk+4/b2lSd6tsLTXv4A3qssRF0gx5CR:0u+c+FPCaTkn2lSRLrgAapf0gx5CR

Score
10/10
njrathackedpersistencetrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Hacked

C2

6.tcp.eu.ngrok.io:15787

Mutex

MILF.exe

Attributes
  • reg_key

    MILF.exe

  • splitter

    123

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53ff7f325392759ad23ecff401bf6534.exe
    "C:\Users\Admin\AppData\Local\Temp\53ff7f325392759ad23ecff401bf6534.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        3⤵
        • Drops startup file
        PID:3004
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /tn NYAN /F
          4⤵
            PID:2588
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd" /sc minute /mo 1
            4⤵
            • Creates scheduled task(s)
            PID:2644
          • C:\Users\Admin\AppData\Roaming\MILF.exe
            "C:\Users\Admin\AppData\Roaming\MILF.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2240
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Roaming\MILF.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
              5⤵
                PID:2880
              • C:\Users\Admin\AppData\Roaming\MILF.exe
                C:\Users\Admin\AppData\Roaming\MILF.exe
                5⤵
                • Drops startup file
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                PID:1568
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Delete /tn NYAN /F
                  6⤵
                    PID:1820
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\MILF.exe" /sc minute /mo 1
                    6⤵
                    • Creates scheduled task(s)
                    PID:2624
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {81C7F502-E88B-4868-BF90-2BFBEBC691CB} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
          1⤵
            PID:2372
            • C:\Users\Admin\AppData\Roaming\MILF.exe
              C:\Users\Admin\AppData\Roaming\MILF.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              PID:1704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Roaming\MILF.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                3⤵
                • Drops startup file
                PID:2384
              • C:\Users\Admin\AppData\Roaming\MILF.exe
                C:\Users\Admin\AppData\Roaming\MILF.exe
                3⤵
                • Executes dropped EXE
                PID:1920
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Delete /tn NYAN /F
                  4⤵
                    PID:1672
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\MILF.exe" /sc minute /mo 1
                    4⤵
                    • Creates scheduled task(s)
                    PID:1620

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\CSIDL_
              Filesize

              122KB

              MD5

              35851f0acefef600b24d706eadf4615c

              SHA1

              c9e77859d7de6489f2ee24c0831f80878a832202

              SHA256

              bebb2a563f923eed7eb3007ab26ccb8729d14f0552217bcfe1949bf48d99093e

              SHA512

              10ae0359748b1a9d155130f7e18764db7ff8c56145983bbce838a776b08fa29cf0fa69c90b2ee259765d6c2326fc319a18ce16708b39eee1c62c5717041750b4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
              Filesize

              104KB

              MD5

              42ccd69a3be9618d329de0ea0fde3a81

              SHA1

              47e9897f303496eb9cd5883f9cdb283b6eee65d3

              SHA256

              14137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef

              SHA512

              33d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
              Filesize

              102B

              MD5

              36af835bbe9400494d117b4f7c471a01

              SHA1

              64e553859bf27a1e214b2439f703bae767851525

              SHA256

              2b7237eed196ea86a7631c6ead894386c213c4ca8c021454e7f97286d196ece1

              SHA512

              38450e87264f7b3bca258f0b943f0a1863e2655c8c9b09d5d7d1d7076d11d50f57468ba79c81ac7fc2bf3fe899d5725c9d852659c2e9b0bb3e8e6c5f3bf7dd6a

              Download Submit

            • \Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
              Filesize

              127KB

              MD5

              d22c97b55bb23ab3400d50a67a8ea9e5

              SHA1

              96bd182c0f62a843639430966eb50719406f5d0a

              SHA256

              286227287f1fa79d5d5d909c2f457fc4d0aefa6be9e940f9a1f214d113ff88b4

              SHA512

              d6715b37f0d80b9d750f375652d1c4f067292894a8e671ca7542321a17a597293b25f3515d3547f2fe7691adfc07695b5581d055e6f76aaa7add64b6ad16eedf

              Download Submit

            • memory/1568-99-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/1568-101-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/1568-109-0x0000000073F10000-0x00000000744BB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1568-104-0x0000000073F10000-0x00000000744BB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1704-147-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1704-111-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1920-143-0x0000000073F10000-0x00000000744BB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1920-142-0x00000000029E0000-0x0000000002A20000-memory.dmp

              Filesize

              256KB

              Download

            • memory/1920-141-0x0000000073F10000-0x00000000744BB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1920-149-0x0000000073F10000-0x00000000744BB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2240-107-0x0000000000230000-0x000000000023D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/2240-68-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2240-106-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2240-78-0x0000000000540000-0x000000000058E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2468-27-0x0000000000A50000-0x0000000000A9E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2468-23-0x00000000003C0000-0x00000000003C5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/2468-15-0x0000000000360000-0x0000000000362000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2468-14-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2468-54-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2832-30-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-63-0x0000000005A10000-0x0000000005A5E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2832-69-0x0000000073EC0000-0x000000007446B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2832-67-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-52-0x0000000073EC0000-0x000000007446B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2832-50-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-48-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-44-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2832-40-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-38-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-36-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-34-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-32-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-28-0x0000000000400000-0x0000000000E28000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2832-26-0x0000000000300000-0x0000000000400000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2848-13-0x0000000000180000-0x00000000001CE000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2848-11-0x0000000000180000-0x00000000001CE000-memory.dmp

              Filesize

              312KB

              Download