Overview

overview

10

Static

static

3

Requirements.scr

windows7-x64

10

Requirements.scr

windows10-2004-x64

10

Requirements.docx

windows7-x64

4

Requirements.docx

windows10-2004-x64

1

nj.exe

windows7-x64

10

nj.exe

windows10-2004-x64

10

rv.exe

windows7-x64

10

rv.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/06/2024, 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Requirements.scr

  • Size

    441KB

  • MD5

    d82b4741a531e77f34865a604f1de729

  • SHA1

    44b7ae953c1c1c60388e7000f6a3060dddc840c0

  • SHA256

    ca636454ca70c9c0a53cd597603cfae9138281d45b6c22015a59271be06d8885

  • SHA512

    bc77a89ae2e9671761316f06ae405a4f325b6286066ecb3421619a17fb348bc0eeb485fa3cc653039fc542b7785d082400c2e67680f051f5ab074bee709754c5

  • SSDEEP

    6144:snx1jC2vG03dvpMsFPDb1pijBfSKtAAFewda/RQMjhpeKqNFubV:edpVhDZwjBf3SA0wdwQMyKqix

Score
10/10
njratrevengeratguesthackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

awaisawan.zapto.org:5555

Mutex

3484533e95ad86b4adeee88c1907dded

Attributes
  • reg_key

    3484533e95ad86b4adeee88c1907dded

  • splitter

    |'|'|

Extracted

Family

revengerat

Botnet

Guest

C2

awaisawan.zapto.org:333

Mutex

Random

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Requirements.scr
    "C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\nj.exe
      "C:\Users\Admin\AppData\Local\Temp\nj.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Local\Temp\svchsot.exe
        "C:\Users\Admin\AppData\Local\Temp\svchsot.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchsot.exe" "svchsot.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2848
    • C:\Users\Admin\AppData\Local\Temp\rv.exe
      "C:\Users\Admin\AppData\Local\Temp\rv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Users\Admin\AppData\Roaming\svchsoot.exe
        "C:\Users\Admin\AppData\Roaming\svchsoot.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks processor information in registry
        PID:1980
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Requirements.docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1896
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Requirements.docx
      Filesize

      13KB

      MD5

      0831b8fbfb0112a869197026cfc22d0d

      SHA1

      644a54282a7b2a68442ece836208c8e61229c881

      SHA256

      a6ab401737ef183ba8dafce28e2e9737739139c61a4f7a51945324b76dd73d20

      SHA512

      2f9722cee67fcdee4aeaeca962612c459492df2a73601f8c40ac9e7cbf90536fbfe38c640fc2fc728da93e5cd5358931c233077e6e6d7e4c4333e3b4ed3c65ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\metro-wordpress-themes.jpg
      Filesize

      85KB

      MD5

      99f7392f94a6572a0503d752a76c0cff

      SHA1

      f818711e4a756dbddc53415a6a885126c447391d

      SHA256

      48a3a0ac7feadf77e62a51d976c5092c56615577c6b7a9b593ec1658e9e7f41b

      SHA512

      c0cba096fc933a2c4795599756a924091cd042ad69e7ab6e88e7b2fdba3486459df5564fc34a5c10ea3c4ea2280f1774fcf603680b3ffbc2085d26b68ad783ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\zerif-pro.jpg
      Filesize

      57KB

      MD5

      63cc6aba84ce6a4ae614022d58cf746c

      SHA1

      68a779f4c784da4e6df5916471786a06bc8ba1a9

      SHA256

      da190858e6689eab30459024ba6c84a1166810f9882e3b900602f1e8d30f0d43

      SHA512

      b644eb728aee7864588e906109b09220b2fefdd3a4f7ebd83ff602025bbace4a350bfd75a1b9df7dfe8808c8df7f895dcdd829bbd0506fdc4308c2d7c4dc2abc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      0d22f0c9c44b47e9556754af69f3b576

      SHA1

      d27a8b20bead6348415bb1a9a026cb3e7503652f

      SHA256

      d43e764f7dd5cc240fab1350406bdb17266335162bf5e1fb1e90e8f334a25cee

      SHA512

      83b2ec5ba026e7c4c78c0fe86be035b9cfdf912b4fe51e69f199277011d0d3cdcf7a15e9acb4ffb5e3e16c1b4d720e7adab2140bc8947d1435a92014f5e1a1f4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nj.exe
      Filesize

      459KB

      MD5

      03c4bd9a3cb44bf49f329fe04e93f537

      SHA1

      257dfb6782bc40e9878ada68f350fd8cce2179fb

      SHA256

      20c1815d9eecee28c6b86ac3e302756c8e4dbc5963d7d8df431e86f5d1dc41e0

      SHA512

      c91666311b655e3f9c213f3aa9d1d72c7610bfda227b5da0d8c5f17f56c16357f5f9224e831fe77f23ef66c8391a4a5e416d9b8f78dcc477a82a84fe5569c97c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\rv.exe
      Filesize

      386KB

      MD5

      2602c258d3fe5647f4f039b644abeaa6

      SHA1

      f733131b769735c82c56dd5b3f6aef4e3cabac9b

      SHA256

      ab682dce500913302f75c0cccc9f049fc3fa70b16b5de99788fb9cd520f47d3d

      SHA512

      db0aa91cbf071fa12951a5b9eeb6610aea3917edd93465863cdeafb939cc5ac9088fee8f64e96d375a428f236bbb589953e60cef3ff50ae2697940d12eba90c6

      Download Submit

    • memory/1980-64-0x00000000003D0000-0x0000000000438000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2052-18-0x00000000010A0000-0x000000000111A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/2052-22-0x00000000739C0000-0x00000000740AE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2052-46-0x0000000000380000-0x000000000038C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2052-55-0x00000000739C0000-0x00000000740AE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2052-45-0x00000000739C0000-0x00000000740AE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2156-20-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2268-56-0x0000000000130000-0x00000000001AA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/2372-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2372-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2632-47-0x00000000003A0000-0x00000000003AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2632-44-0x00000000739CE000-0x00000000739CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2632-19-0x0000000000330000-0x0000000000398000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2632-17-0x00000000739CE000-0x00000000739CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-21-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download