Overview

overview

10

Static

static

3

0aa0dd946e...cs.exe

windows7-x64

7

0aa0dd946e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe

  • Size

    5.8MB

  • MD5

    0aa0dd946e722343b08540a7a0cf1c40

  • SHA1

    8db0fc9b7e24f6c73aba7c54dea94569e6c5c615

  • SHA256

    8ae39d58cf11900e7c6ddfcfce20c37e6e1820bd81b47787f8d47bab83e986ef

  • SHA512

    c39f4c257a8faf6a2a0d6bdb05ab6c497750a22db88febbfe3c2e3c44776b7201ea23c0fe2ae2f4d0f7d001130b8d3372cd1adbd56ba1eea69ce793466ad7873

  • SSDEEP

    98304:WvwH6P2uW5MI079g+DgeFahftplflf6dUwOEH6d8e6b0+hb5y94kAFq:WvwH6eL2V76+DgTNfwZHYY17Y4hw

Score
10/10
njratxbox game studiosevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Xbox Game Studios

C2

kids-notified.at.ply.gg:3845

Mutex

28025540980d0ce611318033102f9151

Attributes
  • reg_key

    28025540980d0ce611318033102f9151

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\0aa0dd946e722343b08540a7a0cf1c40_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c echo %temp%
        3⤵
          PID:4520
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Users\Admin\AppData\Local\Temp\INST.exe
            C:\Users\Admin\AppData\Local\Temp\INST.exe
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Users\Admin\AppData\Roaming\groundedactivator.exe
              "C:\Users\Admin\AppData\Roaming\groundedactivator.exe"
              5⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops autorun.inf file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3108
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\groundedactivator.exe" "groundedactivator.exe" ENABLE
                6⤵
                • Modifies Windows Firewall
                PID:3672
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
      1⤵
        PID:264

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\INST.exe
        Filesize

        37KB

        MD5

        fd24c519c72937a7f150745ccacc9b1b

        SHA1

        23677305457d245f5104bb3ecd4c562d52e052e6

        SHA256

        d117884a2b2ccfc147f8c667874feeb70335fb88e6a3d03584083d975c00c83e

        SHA512

        d430e545d524634e6ea7989777ed4a75857689bbdb0fa5451dd9e99990323b3ed82588d91d85a980e0e76a804117c0281443716b4072f97e0fc8f628a2889d3c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\_MEI30082\VCRUNTIME140.dll
        Filesize

        95KB

        MD5

        f34eb034aa4a9735218686590cba2e8b

        SHA1

        2bc20acdcb201676b77a66fa7ec6b53fa2644713

        SHA256

        9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

        SHA512

        d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\_MEI30082\base_library.zip
        Filesize

        1.0MB

        MD5

        e75eb8bcc934a2f3ca49a0a9227f2edf

        SHA1

        b47a41bc9dab963ea89d679b02a7ede92c6c7516

        SHA256

        0580066426cc1e4cbea64c459ec9a951fd6d62d93c1149c11386e96f32b7e345

        SHA512

        69cd7ecf412e006cdb9115ca93fd0103c236a36268478fbdd2777fb8c368f636d705b24f30095ae5854bc2b432660e12ead41621f4b031341ce4cb695349ef73

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\_MEI30082\python310.dll
        Filesize

        4.2MB

        MD5

        e9c0fbc99d19eeedad137557f4a0ab21

        SHA1

        8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

        SHA256

        5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

        SHA512

        74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

        Download Submit
      • memory/1832-22-0x0000000074F12000-0x0000000074F13000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1832-23-0x0000000074F10000-0x00000000754C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1832-24-0x0000000074F10000-0x00000000754C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1832-34-0x0000000074F10000-0x00000000754C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3108-35-0x0000000074F10000-0x00000000754C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3108-36-0x0000000074F10000-0x00000000754C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3108-56-0x0000000074F10000-0x00000000754C1000-memory.dmp
        Filesize

        5.7MB

        Download