Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 22:23

General

  • Target

    Aeonixx.exe

  • Size

    907KB

  • MD5

    554025c57d014fd5ed8ab159c96da159

  • SHA1

    2295d41aae469f8252c872eab15f7b5fcd85593c

  • SHA256

    7634e00a8aa848b561d2d18d78b1bd9fb2f02380418fb8b6b8b36ee4a201106f

  • SHA512

    125dce70da69479503f6cd42a16518bfd25b993b58499059703ffd8761dfeea71421d5a212ccddd84663e2ec464eb60128c07154d3a4db07fabe31906225a11c

  • SSDEEP

    12288:C4j4mGk/gKAsEu0Q07J4TpiQlO0Qcuvmxn0HOBJ7V:C2icgKAo0h0piQlO0QkxnRBJ5

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

CS2

C2

85.108.113.75:1604

Mutex

775de7e7e00d15df96207ab529453f70

Attributes
  • reg_key

    775de7e7e00d15df96207ab529453f70

  • splitter

    Y262SUCZ4UJJ

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Stops running service(s) 4 TTPs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aeonixx.exe
    "C:\Users\Admin\AppData\Local\Temp\Aeonixx.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\AEONIX.EXE
      "C:\Users\Admin\AppData\Local\Temp\AEONIX.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Users\Admin\AppData\Local\Temp\PAYLOAD.EXE
        "C:\Users\Admin\AppData\Local\Temp\PAYLOAD.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
          "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
            5⤵
            • Views/modifies file attributes
            PID:2472
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Set-MpPreference -DisableRealtimeMonitoring $true
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1500
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c sc query windefend
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Windows\SysWOW64\sc.exe
              sc query windefend
              6⤵
              • Launches sc.exe
              PID:2308
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c sc stop windefend
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1056
            • C:\Windows\SysWOW64\sc.exe
              sc stop windefend
              6⤵
              • Launches sc.exe
              PID:2188
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c sc delete windefend
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Windows\SysWOW64\sc.exe
              sc delete windefend
              6⤵
              • Launches sc.exe
              PID:2548
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1356
            • C:\Windows\SysWOW64\reg.exe
              reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • Modifies registry key
              PID:2576
      • C:\Users\Admin\AppData\Local\Temp\S.EXE
        "C:\Users\Admin\AppData\Local\Temp\S.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c pause
          4⤵
            PID:2624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\AEONIX.EXE

      Filesize

      849KB

      MD5

      0b7321cbbce655bb14c3737973936d8a

      SHA1

      3fbedbf411835e0d54593ae2fe938679f2f5a858

      SHA256

      b13a4f5dc328fb50971d5579f8d32ca7af2b9cf5118999e033ff227242a04edd

      SHA512

      82ee9dafd3948702da5eef1237270828257177f237115921b96d9d604901e0ce291d82562e20c3e0ad5473bd88615559fca2253a603c229f480b4fec746f4b34

    • \Users\Admin\AppData\Local\Temp\PAYLOAD.EXE

      Filesize

      54KB

      MD5

      dcc788ade743525d6922369a9b1cc1d9

      SHA1

      4c100d13f4115f64bbdcc47ffb4f60d50ea9edde

      SHA256

      1a82a1b8db2e35e967a2f463292337e08717251b3e836bf1ffa20815b25037c9

      SHA512

      67faa32ffb6a426f2626384629ac75083da881f549efe7b42c4d3ad915d93e1f2b07a10d952d9b7079b21964f66a8e5c8adb9a9e5fe59040b4dc5a5447c4fb79

    • \Users\Admin\AppData\Local\Temp\S.EXE

      Filesize

      742KB

      MD5

      3dbda3d47ec35af319228ebe3677e743

      SHA1

      0c3033b7568875bb6041c8eaf7eefb065f2f138e

      SHA256

      3d860b0b79377ea570b774977ac1d0976a5ce20c3a71ff67a9b91be84384fd9e

      SHA512

      348f308e96400a4abf2f820ecfaff4c9bb3690b6a60cd1f0376913d0cf01af836a78c5df4af0d2fe95d0fa9186cbf6eefc1b2ef75c021b48572457ff273d9f74