Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 21:58

General

  • Target

    a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe

  • Size

    36KB

  • MD5

    be620fcc4aa93db6323afb9d59f58433

  • SHA1

    96c315802257494d3474d4b3dd819415bfad187f

  • SHA256

    a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98

  • SHA512

    a31951ac3da5fec54a02c85635ce21131038e181cf07fcd73af19ec96084a3e00b8d7adc6aca33f0db87723daead6d34cf2726e2f5b57d1508bd39ab0776cdd0

  • SSDEEP

    768:a8cNwislUV0bwA74K8EjrM+rMRa8Nundgt:avqlU6X4KL8+gRJNsd

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

37.1.222.208:5555

Mutex

3efef41c199db4e308a09fd4aa069af7

Attributes
  • reg_key

    3efef41c199db4e308a09fd4aa069af7

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
    "C:\Users\Admin\AppData\Local\Temp\a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    36KB

    MD5

    be620fcc4aa93db6323afb9d59f58433

    SHA1

    96c315802257494d3474d4b3dd819415bfad187f

    SHA256

    a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98

    SHA512

    a31951ac3da5fec54a02c85635ce21131038e181cf07fcd73af19ec96084a3e00b8d7adc6aca33f0db87723daead6d34cf2726e2f5b57d1508bd39ab0776cdd0

  • memory/2512-0-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-2-0x0000000000350000-0x0000000000390000-memory.dmp

    Filesize

    256KB

  • memory/2512-14-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-15-0x0000000000150000-0x0000000000190000-memory.dmp

    Filesize

    256KB

  • memory/2540-13-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-16-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-17-0x0000000000150000-0x0000000000190000-memory.dmp

    Filesize

    256KB

  • memory/2540-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB