Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 13:43
General
-
Target
LOLPro/LOL PRO 5.2.exe
-
Size
966KB
-
MD5
f6ef181ef99d83e9abd6e4a31066779c
-
SHA1
910734741be798fa7028e56589eaa63f650fbea7
-
SHA256
d5f9071bdf3777ec1c2156ef56e2404ffa107bea1ee1abdfcf324437f27a205c
-
SHA512
aef121cd8e9d0d5292c9a0952b2b4fda4c5d8d8208eee1ab854d4fff167bb29d7e98afa49109ab8d56d4dacd1d4058c414784337d90cbeae938ee49df1f69c53
-
SSDEEP
24576:54lavt0LkLL9IMixoEgeadFMdWxIq9MmCS:Ikwkn9IMHead+daPCS
Malware Config
Extracted
njrat
0.7d
SpreadByKayxs
paravant.no-ip.org:6600
903b5e476b60431f6f04947fbe52bcc3
-
reg_key
903b5e476b60431f6f04947fbe52bcc3
-
splitter
|'|'|
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LOLPro\LOL PRO 5.2.exe"C:\Users\Admin\AppData\Local\Temp\LOLPro\LOL PRO 5.2.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" "cvtres.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c SCHTASKS /Create /SC MINUTE /MO 30 /TN IgfxTray Module /TR C:\Users\Admin\AppData\Roaming\IgfxTray.exe /RU SYSTEM /F /RL HIGHEST2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /SC MINUTE /MO 30 /TN IgfxTray Module /TR C:\Users\Admin\AppData\Roaming\IgfxTray.exe /RU SYSTEM /F /RL HIGHEST3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3916-1-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/3916-2-0x000000007316E000-0x000000007316F000-memory.dmpFilesize
4KB
-
memory/3916-3-0x0000000004A60000-0x0000000004AFC000-memory.dmpFilesize
624KB
-
memory/3916-4-0x00000000050B0000-0x0000000005654000-memory.dmpFilesize
5.6MB
-
memory/3916-7-0x0000000004C20000-0x0000000004CB2000-memory.dmpFilesize
584KB
-
memory/3916-8-0x0000000073160000-0x0000000073910000-memory.dmpFilesize
7.7MB
-
memory/3916-9-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/3916-10-0x0000000073160000-0x0000000073910000-memory.dmpFilesize
7.7MB