Overview

overview

10

Static

static

10

Server.exe

windows7-x64

10

Server.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    43KB

  • MD5

    d263ae994c7828269ff7d3a5ec76a11b

  • SHA1

    4c9dcda66fd3004be1b8e1eec4f397ddea9962d5

  • SHA256

    1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98

  • SHA512

    93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53

  • SSDEEP

    384:lZy46NUst+3gUy6jjHK6qEsjtJEzQIij+ZsNO3PlpJKkkjh/TzF7pWna/greT0pe:vAwQh6/H1ujGuXQ/oj3+L

Score
10/10
njrathackedpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

19.ip.gl.ply.gg:54921

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Users\Admin\AppData\Local\Temp\windlogon.exe
      "C:\Users\Admin\AppData\Local\Temp\windlogon.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        3⤵
        • Creates scheduled task(s)
        PID:4732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\4381014"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    C:\Users\Admin\AppData\Local\Temp/Server.exe
    1⤵
    • Executes dropped EXE
    PID:4108
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    C:\Users\Admin\AppData\Local\Temp/Server.exe
    1⤵
    • Executes dropped EXE
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log
    Filesize

    507B

    MD5

    25d1b50e7c0d451f3d850eb54d27ca05

    SHA1

    a238807715c70a335f54e80d4855644b21a9e870

    SHA256

    650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5

    SHA512

    4223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4381014
    Filesize

    96B

    MD5

    4f0f313d090a031e7bfffba76d78ecab

    SHA1

    0d577bc0155b493820fb9fd842e3dde629b90459

    SHA256

    a7546c5d43a26481aae0052942b9a7cdcfa3a5a8452c535fcbe0c62cd1df005e

    SHA512

    51824c60159f4ed3023af2a00dacb7889dad1efeae30cdd515bf16b456c610e0b83d4d326edc75b2eb925d510b36180e147b5bb54ccd2f102fe449676d223693

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    86KB

    MD5

    ba98b16195f42ec57a11625d07069b32

    SHA1

    5ceb0074aea25863a9a1ba07cb622b244852b700

    SHA256

    b33b872c1b4eb86346df012c19d0383832f8b2601e4ea221f6a439df423fc277

    SHA512

    aab588176794399d021357736a31012bfa5f0e52ffdd437b02d590261a76032caaa29ac32fbb3919b835b54a230cc2e9d1951fa22d4b320ca6d38279b1399aef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\windlogon.exe
    Filesize

    43KB

    MD5

    d263ae994c7828269ff7d3a5ec76a11b

    SHA1

    4c9dcda66fd3004be1b8e1eec4f397ddea9962d5

    SHA256

    1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98

    SHA512

    93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53

    Download Submit

  • memory/388-3-0x0000000005990000-0x0000000005F34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/388-5-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/388-4-0x0000000005490000-0x0000000005522000-memory.dmp

    Filesize

    584KB

    Download

  • memory/388-15-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/388-2-0x0000000005050000-0x00000000050EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/388-0-0x000000007465E000-0x000000007465F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-1-0x00000000006A0000-0x00000000006B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1212-35-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/1212-34-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/1212-32-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4108-29-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4108-27-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-24-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-23-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-22-0x00000000067B0000-0x00000000067C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4808-31-0x00000000011B0000-0x00000000011F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4808-21-0x00000000059D0000-0x0000000005A36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4808-33-0x0000000001260000-0x000000000126A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4808-20-0x00000000057E0000-0x00000000057EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4808-17-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-16-0x0000000074650000-0x0000000074E00000-memory.dmp

    Filesize

    7.7MB

    Download