Analysis

  • max time kernel
    7s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 05:26

General

  • Target

    Private DR 8.exe

  • Size

    32KB

  • MD5

    3545a1d643a4bbe8254e6288ef8b8970

  • SHA1

    54c78dd9b1af967af5bae3436666b4cc6ec9981a

  • SHA256

    ce9f3a26c1dc03bdb6b44d8f21155c01481cfef00d52aed3e8cb2d127d9a0bf7

  • SHA512

    56cfac7a646b9a9c898131d714497af04c29f72aa05dcb4c680e384e62058af5bb136017e6a79a5e5b8d069d488f2651fa0ccddbf332ffd99b0975d63624e884

  • SSDEEP

    384:FwZ2iQY1yEccOrM5si+dCLp6dqs9dFPI4+hAVoTi+NlDQodg9TduS/EIGsJjwE7I:CI05cTvTdCmvsuouDuCEIGfRu+f

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked By HiDDen PerSOn

C2

127.0.0.1:5552

Mutex

ccedfcf6c833355573619d64c1fe7aea

Attributes
  • reg_key

    ccedfcf6c833355573619d64c1fe7aea

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Private DR 8.exe
    "C:\Users\Admin\AppData\Local\Temp\Private DR 8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8
      2⤵
        PID:2436
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8"
          3⤵
            PID:2728

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8
        Filesize

        32KB

        MD5

        3545a1d643a4bbe8254e6288ef8b8970

        SHA1

        54c78dd9b1af967af5bae3436666b4cc6ec9981a

        SHA256

        ce9f3a26c1dc03bdb6b44d8f21155c01481cfef00d52aed3e8cb2d127d9a0bf7

        SHA512

        56cfac7a646b9a9c898131d714497af04c29f72aa05dcb4c680e384e62058af5bb136017e6a79a5e5b8d069d488f2651fa0ccddbf332ffd99b0975d63624e884

      • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
        Filesize

        3KB

        MD5

        665302c934136b55da868419a3afdcb4

        SHA1

        c7363cf0f76aa99ded02edcb04610fc8756a71db

        SHA256

        3569c38de00a82b1c591a67e69c238b12e4abba877bdd7adab3c0c6696ccbd8c

        SHA512

        ef23c32546128bd7b2bb458226e6fd9c77c4265e3d38f10799a966e6973a96e1ce41243e77e49ce8c4a9351cfa0a2d8bf5d9e68f6c2945044b23d6c7bdd64a12

      • memory/2480-0-0x0000000074D90000-0x000000007533B000-memory.dmp
        Filesize

        5.7MB

      • memory/2480-2-0x0000000000B40000-0x0000000000B80000-memory.dmp
        Filesize

        256KB

      • memory/2480-1-0x0000000074D90000-0x000000007533B000-memory.dmp
        Filesize

        5.7MB

      • memory/2480-5-0x0000000074D90000-0x000000007533B000-memory.dmp
        Filesize

        5.7MB