Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-03-2024 15:07

General

  • Target

    Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe

  • Size

    748KB

  • MD5

    6f165b1eef8c2891e4e9d5e37f9074ec

  • SHA1

    4017b1950461c898c5041c3abe08f80ff3ec668b

  • SHA256

    36711a12941ffc7194605b9664f452fa3179eacc55b5701fd22414eff087b80f

  • SHA512

    2c4c47bb48c87055599ceb0e9ee761de5c33e94bbc58ef3613b008f65b8afaa4522660780a93a9ef553b090d09ef06121e89126627413feca9e6ed7c2cf32bf9

  • SSDEEP

    3072:nLJMjbcHDdMwQy1SZ/yUqnLQZr29SB8baRYX2NCancRuXAlSfZEPCNIj2BMmu/Gu:nlMeBzQ6SRInLQZApPAKNMBpPAKNM

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2024

C2

userdalex2024.ddns.net:4444

Mutex

1c455b7054bf3cdcc6d194b1216e5458

Attributes
  • reg_key

    1c455b7054bf3cdcc6d194b1216e5458

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe
    "C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
      "C:\Users\Admin\AppData\LocalQjZdVxezHX.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2408
    • C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe
      "C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9BF1.tmp\9BF2.tmp\9BF3.bat C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\system32\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:2660
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:2432
        • C:\Windows\system32\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:2748
        • C:\Windows\system32\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:2544
        • C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Executor\Xenos64.exe
          "Executor\Xenos64.exe"
          4⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
    Filesize

    634KB

    MD5

    4e560a1285920589d854042360fab9c8

    SHA1

    010c6ce1a51ea5a67423e4b37af50effefd6a91b

    SHA256

    ff74d85d8ebff1e82b9e32b8f6b6b5a821582c4da74310e7873854cb050c5ff1

    SHA512

    9ed4c57a4489fe00c43a7ef5de7d53702aa18f20c1fd538dd7d20705bfef134ccad2e8d581d6e42e36ab8adf6053b9016a0884bb145b7cdbb3b256ac1f9530bd

  • C:\Users\Admin\AppData\Local\Temp\9BF1.tmp\9BF2.tmp\9BF3.bat
    Filesize

    774B

    MD5

    9968d05364877e87833258601f604e38

    SHA1

    8cde606096a11883bf13b8617b9e15e1fb8144d6

    SHA256

    303e8297945e14ac06c08ddaca5f2109b67581816189d5c8d761550db76289a7

    SHA512

    249f557dc4220e4b09ddccbcfd2ef7a94f53c88ff34eeb494fe1c1bfaf77a8f397822ef85872f0805a249e49dd121fd176b382859a61b92e5b9392dae6d6fb14

  • C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe
    Filesize

    55KB

    MD5

    530d8b420991e13d1a66f8e4322066a0

    SHA1

    b09596914770129167a3bdce88b78d7945f31105

    SHA256

    b08506e267fd78912a8c962fcb23097e26ae02222668145b0c2d32cc4896e384

    SHA512

    25a45e65113d3f754b57fa3fc0c08c93904e83063390c747c2f53a35c4ba1248157b091cd9a7934b2596e20d5ca5801daa8c9788f30e9056fef7fef8ae87b914

  • memory/1772-3-0x0000000001F00000-0x0000000001F80000-memory.dmp
    Filesize

    512KB

  • memory/1772-9-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
    Filesize

    9.6MB

  • memory/1772-18-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
    Filesize

    9.6MB

  • memory/1772-19-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

  • memory/1772-2-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
    Filesize

    9.6MB

  • memory/1772-17-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

  • memory/2752-34-0x00000000003E0000-0x0000000000486000-memory.dmp
    Filesize

    664KB

  • memory/2752-51-0x00000000060F0000-0x0000000006130000-memory.dmp
    Filesize

    256KB

  • memory/2752-54-0x00000000060F0000-0x0000000006130000-memory.dmp
    Filesize

    256KB

  • memory/2752-52-0x0000000073E70000-0x000000007455E000-memory.dmp
    Filesize

    6.9MB

  • memory/2752-36-0x0000000073E70000-0x000000007455E000-memory.dmp
    Filesize

    6.9MB

  • memory/2888-49-0x0000000000030000-0x0000000000130000-memory.dmp
    Filesize

    1024KB

  • memory/2888-53-0x0000000000030000-0x0000000000130000-memory.dmp
    Filesize

    1024KB

  • memory/2900-35-0x0000000073E70000-0x000000007455E000-memory.dmp
    Filesize

    6.9MB

  • memory/2900-23-0x0000000001280000-0x0000000001326000-memory.dmp
    Filesize

    664KB

  • memory/2900-25-0x0000000000370000-0x000000000037C000-memory.dmp
    Filesize

    48KB

  • memory/2900-24-0x0000000073E70000-0x000000007455E000-memory.dmp
    Filesize

    6.9MB

  • memory/2940-20-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

  • memory/2940-27-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

  • memory/2940-38-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB