Overview

overview

10

Static

static

3

0aa0dd946e...cs.exe

windows7-x64

7

0aa0dd946e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe

  • Size

    5.8MB

  • MD5

    0aa0dd946e722343b08540a7a0cf1c40

  • SHA1

    8db0fc9b7e24f6c73aba7c54dea94569e6c5c615

  • SHA256

    8ae39d58cf11900e7c6ddfcfce20c37e6e1820bd81b47787f8d47bab83e986ef

  • SHA512

    c39f4c257a8faf6a2a0d6bdb05ab6c497750a22db88febbfe3c2e3c44776b7201ea23c0fe2ae2f4d0f7d001130b8d3372cd1adbd56ba1eea69ce793466ad7873

  • SSDEEP

    98304:WvwH6P2uW5MI079g+DgeFahftplflf6dUwOEH6d8e6b0+hb5y94kAFq:WvwH6eL2V76+DgTNfwZHYY17Y4hw

Score
10/10
njratxbox game studiosevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Xbox Game Studios

C2

kids-notified.at.ply.gg:3845

Mutex

28025540980d0ce611318033102f9151

Attributes
  • reg_key

    28025540980d0ce611318033102f9151

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c echo %temp%
        3⤵
          PID:4100
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3340
          • C:\Users\Admin\AppData\Local\Temp\INST.exe
            C:\Users\Admin\AppData\Local\Temp\INST.exe
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5000
            • C:\Users\Admin\AppData\Roaming\groundedactivator.exe
              "C:\Users\Admin\AppData\Roaming\groundedactivator.exe"
              5⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops autorun.inf file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3128
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\groundedactivator.exe" "groundedactivator.exe" ENABLE
                6⤵
                • Modifies Windows Firewall
                PID:4612

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\INST.exe
      Filesize

      37KB

      MD5

      fd24c519c72937a7f150745ccacc9b1b

      SHA1

      23677305457d245f5104bb3ecd4c562d52e052e6

      SHA256

      d117884a2b2ccfc147f8c667874feeb70335fb88e6a3d03584083d975c00c83e

      SHA512

      d430e545d524634e6ea7989777ed4a75857689bbdb0fa5451dd9e99990323b3ed82588d91d85a980e0e76a804117c0281443716b4072f97e0fc8f628a2889d3c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI13282\VCRUNTIME140.dll
      Filesize

      95KB

      MD5

      f34eb034aa4a9735218686590cba2e8b

      SHA1

      2bc20acdcb201676b77a66fa7ec6b53fa2644713

      SHA256

      9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

      SHA512

      d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI13282\base_library.zip
      Filesize

      1.0MB

      MD5

      e75eb8bcc934a2f3ca49a0a9227f2edf

      SHA1

      b47a41bc9dab963ea89d679b02a7ede92c6c7516

      SHA256

      0580066426cc1e4cbea64c459ec9a951fd6d62d93c1149c11386e96f32b7e345

      SHA512

      69cd7ecf412e006cdb9115ca93fd0103c236a36268478fbdd2777fb8c368f636d705b24f30095ae5854bc2b432660e12ead41621f4b031341ce4cb695349ef73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI13282\python310.dll
      Filesize

      4.2MB

      MD5

      e9c0fbc99d19eeedad137557f4a0ab21

      SHA1

      8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

      SHA256

      5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

      SHA512

      74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

      Download Submit
    • memory/3128-35-0x0000000074D20000-0x00000000752D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3128-55-0x0000000074D20000-0x00000000752D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5000-22-0x0000000074D22000-0x0000000074D23000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5000-23-0x0000000074D20000-0x00000000752D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5000-24-0x0000000074D20000-0x00000000752D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5000-34-0x0000000074D20000-0x00000000752D1000-memory.dmp
      Filesize

      5.7MB

      Download