Analysis

  • max time kernel
    465s
  • max time network
    462s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 05:06

General

  • Target

    alekeseke.zip

  • Size

    62KB

  • MD5

    9a790984db998c15e089ca5156d80e67

  • SHA1

    034deacf3152e7602166d8018845920d55054123

  • SHA256

    4693578ea4ae9212aa51d50c21adac0f6dcd9a7014d974d2e0425328b84e9149

  • SHA512

    5c8d9e30c5e7c363ed484de1dfcede4cfbf9a4cbdb8dce145642f7ab6c5131a29c5c1d0bf8c0ef35a0663f0064c90c1a8c1c04565720343ac64a19697b97e83c

  • SSDEEP

    1536:A/Ay3X7c4UKBAM9Q0+eVXx/1PLyFrb7sh:A/AWX7c4UU96chRAsh

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:12607

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    |Ghost|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\alekeseke.zip
    1⤵
      PID:1976
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:3064
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14468:76:7zEvent32747
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2012
      • C:\Users\Admin\Desktop\NOT A VIRUS.exe
        "C:\Users\Admin\Desktop\NOT A VIRUS.exe"
        1⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /IM wscript.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2092
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /IM cmd.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2124
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:420
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
          PID:1864
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\NOT A VIRUS.exe

          Filesize

          214KB

          MD5

          e431cae2c2e7c1d50e2264102d898310

          SHA1

          7eae6955815fda22dd9ed02302d5f0ca4596854f

          SHA256

          ff86000c39c061650d004894837d8f618d0724ce3b2a2ef24072c784b2ceb67f

          SHA512

          74be155fefe642006b7df93aeef53ba34cb950d6172d40782de768ef7437061491b63e7950ef1038d8dbec70e60fa900ce212fd804fb9cb555f337176d99cb1c

        • memory/420-18-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/420-19-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1708-23-0x00000000749B0000-0x0000000074F5B000-memory.dmp

          Filesize

          5.7MB

        • memory/1708-6-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB

        • memory/1708-5-0x00000000749B0000-0x0000000074F5B000-memory.dmp

          Filesize

          5.7MB

        • memory/1708-4-0x00000000749B0000-0x0000000074F5B000-memory.dmp

          Filesize

          5.7MB

        • memory/1708-24-0x00000000749B0000-0x0000000074F5B000-memory.dmp

          Filesize

          5.7MB

        • memory/1708-25-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB

        • memory/1708-26-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB

        • memory/1708-27-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB

        • memory/1708-28-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB

        • memory/1708-29-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB