Overview

overview

10

Static

static

3

hhhh77.exe

windows7-x64

10

hhhh77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hhhh77.exe

  • Size

    8.3MB

  • MD5

    9214afbf5645990e16a4935d4b66a2e1

  • SHA1

    ff88a1ba0e19d31f9ffbf0c5844709654d33a441

  • SHA256

    430365bd280fcc6e3a8f2912dad54c397e0c6dabd4dbf505cd95e53bdc8dc36a

  • SHA512

    21b8c7b9d28ddd745fa283cf449af7e248b7bde410217fa625a0654381247ad7012983a26b8f84d13cf610bb28180bd6e497a75368df637609d69f8f58e4ec31

  • SSDEEP

    196608:IIcwMCzK6VFMW/sd0PVVlMyELNCMgZsHcSCD:JNmyFW+Px0NIycf

Score
10/10
njrathackeddiscoverytrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:4344

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hhhh77.exe
    "C:\Users\Admin\AppData\Local\Temp\hhhh77.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\Server_protected.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Server_protected.sfx.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Users\Admin\AppData\Local\Temp\Server_protected.exe
        "C:\Users\Admin\AppData\Local\Temp\Server_protected.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1224
    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
      "C:\Users\Admin\AppData\Local\Temp\ngrok.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server_protected.exe
    Filesize

    1.1MB

    MD5

    d284ba1f09e8c41cd5cdfb0fdb6ec60a

    SHA1

    821908e7bbecc9944bb8c5c2c190c93e6ed40b42

    SHA256

    16a4198de8bdfbfbbf06ca8961d9a5735aa3dd5890d1cc38659ec329871e9b32

    SHA512

    5b7570751241b1974546cdf93d172d9aac9173c47f10ce49bcc2cedc52ab07da40303cf74cd7332ae9c5c8fa0d08344b02d00c5ba6667f67fb71bca22ce63c9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server_protected.sfx.exe
    Filesize

    1.4MB

    MD5

    376851986979da63538461616c848b21

    SHA1

    0064b8eb1ae310829c80c6524e765338ff5894a8

    SHA256

    4603cbbf2c03fa34fe567f62b6a273566967c2203187c6ebc16b4c5fb71a965c

    SHA512

    d4c6b6e3a5ba49492484089c7660e7a702912e7b26d3d2c3e0f4b96ec1aa001d7f7859e7cb86ac3186d80c19bfe6ecb1cbfcba06ecf3ddb8c5388cec08dc4d3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    Filesize

    26.3MB

    MD5

    4135fe39c7a56d4d4e6a3a86d7ee3f77

    SHA1

    a2d7898d488b08294d659c88ed439bc5c8352d65

    SHA256

    9b18df84a96f68f8726d26bc661a86a984d8fda4e5e8c2641ad91d103d028b05

    SHA512

    b056ee468b3b6c4276be6cd185d677bedbd594a65fa1c283ddd035c5232c207a478e0a7e339bb4efaec9c0c2d86ce16547600e56bf93a4d69be4f91232361338

    Download Submit

  • memory/1224-29-0x00000000000E0000-0x0000000000458000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1224-31-0x00000000000E0000-0x0000000000458000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1224-32-0x0000000005EA0000-0x0000000005F3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1224-33-0x0000000006770000-0x0000000006D14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1224-34-0x0000000006260000-0x00000000062F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1224-35-0x0000000003C30000-0x0000000003C3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1224-37-0x00000000000E0000-0x0000000000458000-memory.dmp

    Filesize

    3.5MB

    Download