Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2024 18:58

General

  • Target

    953cb72ec7feee841757eca646add75d.exe

  • Size

    2.6MB

  • MD5

    953cb72ec7feee841757eca646add75d

  • SHA1

    f594c79a413380cd4f6717097b4003a252f1a84c

  • SHA256

    35905f3d15f4c53feaec8bf0a3fba99621f8ffb8e02f64a03323d6674976b3b5

  • SHA512

    cd8d50039fdf1ade147cbf50dc9b24e1e652a1d1a8eedb4ef2ebb51ebd8dbbef8e1b4fc0e56dc420ec528558a316366157ee5bd3853e0cd7f879bfe63d7d785a

  • SSDEEP

    49152:eFFdWfzEeWY3LvXf5IAjYGoW6qQluP+xsKRbYJlotmqahJBt21:e5IeY37yAjYKP25YJIm5G

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

bp2020.ddns.net:666

Mutex

ca1abf05f66deec6f87b6b8a8e6cac15

Attributes
  • reg_key

    ca1abf05f66deec6f87b6b8a8e6cac15

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\953cb72ec7feee841757eca646add75d.exe
    "C:\Users\Admin\AppData\Local\Temp\953cb72ec7feee841757eca646add75d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\953cb72ec7feee841757eca646add75d.exe" "953cb72ec7feee841757eca646add75d.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2180-1-0x0000000001010000-0x0000000001272000-memory.dmp
    Filesize

    2.4MB

  • memory/2180-0-0x0000000074D50000-0x000000007543E000-memory.dmp
    Filesize

    6.9MB

  • memory/2180-2-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

  • memory/2180-4-0x00000000053B0000-0x00000000053F0000-memory.dmp
    Filesize

    256KB

  • memory/2180-5-0x0000000074D50000-0x000000007543E000-memory.dmp
    Filesize

    6.9MB

  • memory/2180-6-0x00000000053B0000-0x00000000053F0000-memory.dmp
    Filesize

    256KB