Analysis

  • max time kernel
    209s
  • max time network
    207s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-07-2024 11:19

General

  • Target

    Server.exe

  • Size

    36KB

  • MD5

    83d83edd49fbe175f330b855135b7812

  • SHA1

    7a88ba7b0b6f44af5945ee5aa0494f84b0b78e25

  • SHA256

    f67be796c76c62a9b4763403ebbb62ceb07d567f1c76386445fb99b7f807d46d

  • SHA512

    9a66de9e038234a36b8b3912ebe931c4fc0d839fb71bbd95014e3fbd4ebaeeda45fd2ed462e18cdef1edf2a9247b04ee90e1d185020a789457b01b90e3f4fd71

  • SSDEEP

    384:bv5Zjj6icFri5Z7JAyk/G4OvhRZea6FwrAF+rMRTyN/0L+EcoinblneHQM3epzXb:z5LHJ7k/G4ObZr6GrM+rMRa8NuZ9Pt

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

ضحايا Repo

C2

147.185.221.21:19455

Mutex

ff08ef465dd80a9af68f3e1ab659a49e

Attributes
  • reg_key

    ff08ef465dd80a9af68f3e1ab659a49e

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:164
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\System.exe

    Filesize

    36KB

    MD5

    83d83edd49fbe175f330b855135b7812

    SHA1

    7a88ba7b0b6f44af5945ee5aa0494f84b0b78e25

    SHA256

    f67be796c76c62a9b4763403ebbb62ceb07d567f1c76386445fb99b7f807d46d

    SHA512

    9a66de9e038234a36b8b3912ebe931c4fc0d839fb71bbd95014e3fbd4ebaeeda45fd2ed462e18cdef1edf2a9247b04ee90e1d185020a789457b01b90e3f4fd71

  • memory/164-10-0x0000000073BA0000-0x0000000074150000-memory.dmp

    Filesize

    5.7MB

  • memory/164-11-0x0000000073BA0000-0x0000000074150000-memory.dmp

    Filesize

    5.7MB

  • memory/164-21-0x0000000073BA0000-0x0000000074150000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-0-0x0000000073BA1000-0x0000000073BA2000-memory.dmp

    Filesize

    4KB

  • memory/3012-1-0x0000000073BA0000-0x0000000074150000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-2-0x0000000073BA0000-0x0000000074150000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-9-0x0000000073BA0000-0x0000000074150000-memory.dmp

    Filesize

    5.7MB