Overview

overview

10

Static

static

3

7ece92212c...40.exe

windows7-x64

10

7ece92212c...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2024 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ece92212c59df419305a7915b0deb40.exe

  • Size

    148KB

  • MD5

    7ece92212c59df419305a7915b0deb40

  • SHA1

    d39d2595dc53bec55ac4fa6262feb5ceb1e8637e

  • SHA256

    c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff

  • SHA512

    66ddb7692d0921b70f7cde29f0a7dc5d35f7bd8c0e78c97b9fe583e9a8379fd4915cdd746c868fa19ac8476ec7c6f137835c141523412810580077e99e6a8079

  • SSDEEP

    3072:mR99ArBvfOBSdThazVJXdQ5/AdaAEUJ7XlE3pYLSxwp3Sb8:ocB1d9iXeSU87XlE+OxwpCb

Score
10/10
njrat4evasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

4

C2

rlawlsl154.codns.com:443

Mutex

a695e871b7f2f081334e678e67df6a28

Attributes
  • reg_key

    a695e871b7f2f081334e678e67df6a28

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe
    "C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe" "7ece92212c59df419305a7915b0deb40.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\svchost.exe
    Filesize

    148KB

    MD5

    7ece92212c59df419305a7915b0deb40

    SHA1

    d39d2595dc53bec55ac4fa6262feb5ceb1e8637e

    SHA256

    c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff

    SHA512

    66ddb7692d0921b70f7cde29f0a7dc5d35f7bd8c0e78c97b9fe583e9a8379fd4915cdd746c868fa19ac8476ec7c6f137835c141523412810580077e99e6a8079

    Download Submit

  • memory/3068-0-0x0000000000930000-0x000000000095E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3068-1-0x0000000073EC0000-0x00000000745AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3068-2-0x0000000000240000-0x0000000000250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-12-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3068-13-0x0000000073EC0000-0x00000000745AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3068-14-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

    Filesize

    256KB

    Download