Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
15-09-2024 00:05
General
-
Target
9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c.exe
-
Size
509KB
-
MD5
093b753a23c9e8d075a0b5930becc5db
-
SHA1
1702c0e879306d86a5a66291da6318581df63f1d
-
SHA256
9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c
-
SHA512
e948a28961872ea1b64cafcd0190cc2d85cac5d887b94d4a8eefc24374ca1581c6c9882c6000cea9c6c507b14be6c4f2191118e3aa76cfdb7992d4f5aab11cf2
-
SSDEEP
6144:BstlOOo8x7n59Z+zyu65QnlQBD57PSNfL:wOOfN590uu6ekV7PSNz
Malware Config
Extracted
njrat
im523
Loh
4.tcp.ngrok.io:15397
e3a79ad10724ea5246684eaecb0cb4a0
-
reg_key
e3a79ad10724ea5246684eaecb0cb4a0
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c.exe"C:\Users\Admin\AppData\Local\Temp\9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53e8a3d061b73f089a05047e2296539d1
SHA15b2dfe1f2797814f60e7a0264b40985127fadbe6
SHA25697f90454a6070684daf77448247090e79f123f2abbc2dc782832b04ae500e461
SHA512abde5bbf0fb202edb438778f3f48cfe963a4b5068d3e1e0c8194b1c88062cf8111f912e45c8d22406080088f93b950a19d5b13d8da3a59dcef9e6fa1ab6e2799
-
Filesize
37KB
MD5961115e27e215a51ba84005aaedade5b
SHA1af550890c01d1f75e901f6dff1b7838788dedbd0
SHA25674831b89ba10ee38897390a4e9caffad33ad7fe184b0604fa36c26956f7d28b3
SHA5120f6526bbab05adebca702053b7b4b95b9945d1e3bfc95fbd87fee7cbb77a5944ec1b29e63df20e83fe4aedfd143d57662c1e3152ed80fe8032777bdf908f28a1
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
