Overview

overview

10

Static

static

7

b0b7e05479...df.exe

windows7-x64

10

b0b7e05479...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df.exe

  • Size

    232KB

  • MD5

    048af131c128c4f3d61e2f8311a0d789

  • SHA1

    6499aaffdef17532166f4e6b023b5b5e9c2a3a74

  • SHA256

    b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df

  • SHA512

    8ecf9f80ed6651dda257215f80a9fdaca1f19a1833a0968e67d943bea6a654ff59e828085d69f7a10e05e32290d3b2a28355179f3b367b86abb3781f69451c32

  • SSDEEP

    6144:sGzuTmcrilEBufkto5AoYfqyoVxxGMOr6ulkLAl9sUgvoplt:sGuTKlEBu8t6zYyyowWulA6sU1r

Score
10/10
njratadamevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Adam

C2

127.0.0.1:5552

Mutex

0fdeb309c302794f1f098abd7425174f

Attributes
  • reg_key

    0fdeb309c302794f1f098abd7425174f

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df.exe
    "C:\Users\Admin\AppData\Local\Temp\b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SYSTEM32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:3248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\server.exe
    Filesize

    232KB

    MD5

    048af131c128c4f3d61e2f8311a0d789

    SHA1

    6499aaffdef17532166f4e6b023b5b5e9c2a3a74

    SHA256

    b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df

    SHA512

    8ecf9f80ed6651dda257215f80a9fdaca1f19a1833a0968e67d943bea6a654ff59e828085d69f7a10e05e32290d3b2a28355179f3b367b86abb3781f69451c32

    Download Submit

  • memory/900-24-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/900-23-0x0000000000E10000-0x0000000000E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/900-22-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/900-21-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/900-20-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4092-6-0x0000000001130000-0x000000000113C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4092-0-0x00007FFBEDDC5000-0x00007FFBEDDC6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-5-0x000000001C4A0000-0x000000001C53C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4092-19-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4092-4-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4092-3-0x000000001BD90000-0x000000001C25E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4092-2-0x000000001B810000-0x000000001B8B6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4092-1-0x00007FFBEDB10000-0x00007FFBEE4B1000-memory.dmp

    Filesize

    9.6MB

    Download