Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 20:15

General

  • Target

    ApplicationSetup 14.exe

  • Size

    13.2MB

  • MD5

    c79c74015c9ce0892b5f57a483096167

  • SHA1

    676b9e4572ff8824f4ebb624b20a5d590fefb3ce

  • SHA256

    b01a6d6530594581e3e4f0907b71f036a2ce0252d0995effcfab25013a9917aa

  • SHA512

    2d6c95ae1b0e1eda39c71eb70d4c773cd8b3aea16d5829489de4eb4d9641c9f9508645c2caccb9bf7bc70321a11746fa2bbae7876c34e35e3639da65b5fd3aa6

  • SSDEEP

    196608:KkKVS0/N8DiKplRTEIT9966UUGsc0laGV5XgvucmQBDniJTB5VPBBSe+0JlFRtAc:OS+QRrXTzisc0zVJw2OgZBZ+0Jsaas

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

kisel228.zapto.org:25565

Mutex

742480850a3c457758da290ee11e533c

Attributes
  • reg_key

    742480850a3c457758da290ee11e533c

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Detects Pyinstaller 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ApplicationSetup 14.exe
    "C:\Users\Admin\AppData\Local\Temp\ApplicationSetup 14.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\Lol.exe
      "C:\Users\Admin\AppData\Local\Temp\Lol.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Users\Admin\AppData\Roaming\server.exe
        "C:\Users\Admin\AppData\Roaming\server.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2000
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
          4⤵
          • Modifies Windows Firewall
          PID:2472
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2172
    • C:\Users\Admin\AppData\Local\Temp\creal.exe
      "C:\Users\Admin\AppData\Local\Temp\creal.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\creal.exe
        "C:\Users\Admin\AppData\Local\Temp\creal.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI26642\python312.dll

    Filesize

    2.4MB

    MD5

    82c9700ca6b352383ff1b8c3b806cd5b

    SHA1

    22f3ef05a1f5ff8eb54394647a560aeb983545c5

    SHA256

    5405e8f79d0f62cb60e3deea5465ddb76afc8ad730b4482f1efaa87f5e1e8380

    SHA512

    c4c713e2cd89ae43c14320f1e4f59e2179b1dcbd969d11700456507921421e7c3b873546688078c5ac7df6ee9713347d8829cb3885c57ddd442dfc422c8de37a

  • C:\Users\Admin\AppData\Local\Temp\creal.exe

    Filesize

    4.3MB

    MD5

    f181dad51052f633d5672bb256f4cd4c

    SHA1

    0e1d1fbde72460a818ba1f16f813382e97fbc61a

    SHA256

    f518a8705eb051fd8e98d0c14b599587d04a7ac9c1aed3868d0bdd75b5591f86

    SHA512

    a802853a553742dd8655a1d00c4550ad86ef04a6f68a973740cd514009650d4fc0e54efd04ea9967b2228f4b4fe94ba9ee40a7aa99a6c2b711960c113744d0be

  • C:\Users\Admin\AppData\Local\Temp\creal.exe

    Filesize

    4.1MB

    MD5

    e713b4ecadae22ff5a07bb7238a24f86

    SHA1

    a533d8d0eb1897b9e75096685e2bdb864f99c6a3

    SHA256

    16302b9903f6f97604ab5e03490d85547817ba94fe58536466cc09b4b53262b1

    SHA512

    3261b2a2af3153f9dc05065c457859f48833baa72fd879819fed002b4b9097bdb3c8a50ef958d04dac756f057f20ef9c2cd1437089e9f9be3b02b92b0a819a52

  • C:\Users\Admin\AppData\Local\Temp\creal.exe

    Filesize

    2.8MB

    MD5

    c05b8261f12744400e1f5d4346836d9a

    SHA1

    efcae12a817cd532afc2287905fa416e785500f3

    SHA256

    2b939ff023c28713104523aa5b14ce1f695045a56a998c71524a9189bc8a0372

    SHA512

    be95235c58f315e3ef62e27a847212ddf02ca75fd78dd1f05e4a0a9f97bde08fc7530075eb9009eafd9a027feb7f0dd2af9704d16dac0eec8b1dc681f7a8ff51

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    cac4598fdc0f92181616d12833eb6ca1

    SHA1

    80a7b7a46a0e8e674b782b9eb569e5430a69c84b

    SHA256

    275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

    SHA512

    01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

  • \Users\Admin\AppData\Local\Temp\Lol.exe

    Filesize

    93KB

    MD5

    9e4d9908815be3e2244c857863ec309a

    SHA1

    e0dc0c88151069986c7104d12fa3223ad1fe07bb

    SHA256

    a976cc4bb39183a99f5341cda18b789d1c345eaf37221c71291b823eb457c6be

    SHA512

    795bebd046b5c147fed8726a7f772d2e5900be31e1f1a81d4052619d4325e1f51445193319ad93e37d17c70d4ac0ff01d2ebbe6ac2d85c4feb91dbfe992d8b9b

  • \Users\Admin\AppData\Local\Temp\_MEI26642\python312.dll

    Filesize

    1.1MB

    MD5

    b849e8201f088c4aef9ca325c5c7f2cd

    SHA1

    30c1e0944524b28410bb9f4ebde61e5bcc994c4f

    SHA256

    ca76e97fd82201a8ef84eaceeb064684c48fdd7f0e3bba00ff064747e603065e

    SHA512

    660c41680e350dc75c18500c77679de30148bb79c3464172f080c23df5371e9ca20b4560dc5f2fd4ec7d220b37652a5ebe2c557e409908fe317b03dabab81337

  • \Users\Admin\AppData\Local\Temp\creal.exe

    Filesize

    4.2MB

    MD5

    6d14b9491e3881897e21681d7a0a62b8

    SHA1

    5fde4f378f63db74d3a184c8fdcb58e8e62f2caa

    SHA256

    2d9f4a041f9218d30763053530f52d2ca6eee4f3f9ffa249155bd744f07282de

    SHA512

    cf570a4a92f605f6e0699a3379d6675dc387770665c895a28662e766a7d39d67b8d46fab304c0c6128599dad32b8401f09819b25b22c799d75feff282dd0a51d

  • \Users\Admin\AppData\Local\Temp\creal.exe

    Filesize

    2.9MB

    MD5

    99b60bbd0085286bb2cedf7ba86657d3

    SHA1

    6b2f024cbc0956fcd8dbe933aaeb379a48971011

    SHA256

    a6d08e096ae0d2c0741043fed5aa5760f094764f630d61f026177439c21a2536

    SHA512

    08827ec621e1db940de3a83ca81cf05ab3fa26878fc29a624a5783c22d633ffc51748c80ca4f9512d4f2d42c643d17fac492b794f638a212924701f6c7598934

  • memory/2504-111-0x0000000073D10000-0x00000000742BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2504-95-0x0000000073D10000-0x00000000742BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-112-0x0000000073D10000-0x00000000742BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-146-0x0000000073D10000-0x00000000742BB000-memory.dmp

    Filesize

    5.7MB