Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 09:43

General

  • Target

    307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe

  • Size

    936KB

  • MD5

    4f66f2d3347a0466104e506a6d71f1b0

  • SHA1

    63d77b6043bfcfa477d743a30c3476997f6dcf09

  • SHA256

    307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ce

  • SHA512

    10c7a1e0477830cdcc40a385a40ef884e2bb9ab3e2d1ecebee1e9760d9615d035fc2b55d3b9c9c81b3aeddedbb1ab0c869a00d278653ca59344059feea3bc660

  • SSDEEP

    12288:9MdXQ94Gh9tkeWMsMQ3WmvekJTaS9ynMpx5hum+yw0DMdXQ94Gh9tkeWMsMQ3Wm9:af7XHuPf7XHu

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

22.ip.gl.ply.gg:57731

Mutex

32ce84f74d25f1e71aac67667a2c8d24

Attributes
  • reg_key

    32ce84f74d25f1e71aac67667a2c8d24

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 6 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
    "C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
      "C:\Users\Admin\AppData\LocalfRDeAalfWC.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\java.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\wscript.exe
          wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:864
      • C:\Windows\Temp\System.exe
        C:\Windows\Temp\System.exe
        3⤵
        • Executes dropped EXE
        PID:2924
      • C:\Windows\Temp\System.exe
        C:\Windows\Temp\System.exe
        3⤵
        • Executes dropped EXE
        PID:2744
      • C:\Windows\Temp\System.exe
        C:\Windows\Temp\System.exe
        3⤵
        • Executes dropped EXE
        PID:2660
      • C:\Windows\Temp\System.exe
        C:\Windows\Temp\System.exe
        3⤵
        • Executes dropped EXE
        PID:1968
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Default.mp3"
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2620
      • C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytcrz3tw.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB73.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2644
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3048
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 412
            5⤵
            • System Location Discovery: System Language Discovery
            PID:880
        • C:\Users\Admin\AppData\Roaming\99796.exe
          "C:\Users\Admin\AppData\Roaming\99796.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2160
          • C:\ProgramData\Dllhost.exe
            "C:\ProgramData\Dllhost.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\ProgramData\Dllhost.exe" "Dllhost.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:1480
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 1116
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2456
      • C:\Windows\SysWOW64\REG.exe
        REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1956
      • C:\Windows\SysWOW64\rEG.exe
        rEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

    Filesize

    132KB

    MD5

    6b97067ea717e5c72685a38a15109ecc

    SHA1

    0ec286ff24307650bcd1881106980d420c646610

    SHA256

    b62c4ffb4b0622b0dc2fcf684b86863a54636c3af773e71a036c3064075eaf17

    SHA512

    80613f0da03c01d5d35dedb4617e811a7b2e72032eeedc5ccdb2b8f6c6408ec9f66ad3f9a10f6e357e4ec85c9bb8374c3d64874a5d9699e6def23cdc9748fb7d

  • C:\Users\Admin\AppData\Local\Temp\Default.mp3

    Filesize

    27KB

    MD5

    071720d5f39c31b27711d70b09ef9b3b

    SHA1

    1fe68bf69c8418454a0d91ad321b99fe9065a1db

    SHA256

    f8bc97b18db5452e5be748390037c16e606aaf0f61f0896531528d0d5fd08cc7

    SHA512

    7db5e2039e075916874b071f30aef7c29133182b9bdbc2e3cb9c2296db8a67f2cfd4e49701d85126b6b58d59bd6198f2ce6c5f4eec382209a6576c628d354014

  • C:\Users\Admin\AppData\Local\Temp\RESBB74.tmp

    Filesize

    1KB

    MD5

    bcaffd1da5b1352aca0c3fa2b01d5abc

    SHA1

    a694bc77880138dbc9d0ccbadfb1696bd50fb876

    SHA256

    0e47d92552dd4ef347fed4486eec8951aa68218c467e4c7800fc984119402635

    SHA512

    2a54756dd19ee26a7a6d47cfcecc04178bfb7591b51d77c1443542591659dcf61f75e1fa589266e9dfd6c0832f4d7c171b1da98e020b5bb51b614ee30fd0b54b

  • C:\Users\Admin\AppData\Local\Temp\ytcrz3tw.dll

    Filesize

    5KB

    MD5

    d42ba9acb411a99763f94ab5ab4cd2a7

    SHA1

    0562ac230a8ccc6f9b8d96e30936d552d1f55074

    SHA256

    13e1d6138a9ea7d7835dcf9837af9dba34a3e24845c7bc68fc217c9b7fb6c4cd

    SHA512

    bcb56cd9c9266afb997b773afeb3dd59b5aa132ec58112424a28204df8adf5512225143d80d3bc4e1bf50b28dc9fa6b72b04d3d07f56a03b61a4dc43c6cf924c

  • C:\Users\Admin\AppData\LocalfRDeAalfWC.exe

    Filesize

    461KB

    MD5

    97ae997014319227a2a3b08033fd81df

    SHA1

    95b7acd68273a81951ed13890ac6efd746258c42

    SHA256

    ef41566edb201f685cfedd097970f9b1edb4832c2dabb6309a79f0fb34ee0402

    SHA512

    103931d8c70e3d9a3f1757b81428b7313c7cda178f3d19ffb4c1ee169e3c642156468ea8d9a4c33802bc0afc0408bc81a6d248789c023565f31b8dd7f45c0fd1

  • C:\Users\Admin\AppData\Roaming\invs.vbs

    Filesize

    78B

    MD5

    c578d9653b22800c3eb6b6a51219bbb8

    SHA1

    a97aa251901bbe179a48dbc7a0c1872e163b1f2d

    SHA256

    20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

    SHA512

    3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

  • C:\Users\Admin\AppData\Roaming\java.bat

    Filesize

    53B

    MD5

    1896de26a454df8628034ca3e0649905

    SHA1

    76b98d95a85d043539706b89194c46cf14464abe

    SHA256

    d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208

    SHA512

    ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

  • C:\Users\Admin\AppData\Roaming\java2.bat

    Filesize

    160B

    MD5

    e8170b6565dfb34d114cfa398ba77296

    SHA1

    9079335b0ec9a509b7344cb98713fc0b52afa36e

    SHA256

    76ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b

    SHA512

    1b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCBB73.tmp

    Filesize

    652B

    MD5

    bc993608fc3311e14e5b0312c40b381d

    SHA1

    ea46df9af696aadf52bbdc85a08309418dbbc12c

    SHA256

    ca44d7e9aab41470db1371038acc26b6e4834e88247646e0385f06420838d1a2

    SHA512

    56dda317f8695ff0f5518d6a02dc1b1301f9e5642383bfd2ca6f948846f086ba0a35dbcb1da70b98f51180ada0d272111416c9b1324844f3ad4f5222cfbb8b75

  • \??\c:\Users\Admin\AppData\Local\Temp\ytcrz3tw.0.cs

    Filesize

    4KB

    MD5

    b63430207638c1a36b9b27002e0da3da

    SHA1

    54356082f32c71498c4ac5f85f4588e0d1c57ad0

    SHA256

    fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

    SHA512

    29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

  • \??\c:\Users\Admin\AppData\Local\Temp\ytcrz3tw.cmdline

    Filesize

    206B

    MD5

    9fc2ce2d58c9877584082a1930e27fbc

    SHA1

    7723a60b5bde8f87e7af72ad6de738cc12c3b16b

    SHA256

    dde5d9575bbe8c6d9083048e31600a1349a1a53e7d05df40b71f4ba641205887

    SHA512

    ef724f1b5b7924a269d308903bd623f0589da4a6d825546b5d572d994ac4e414bc21475b907209655b4167fa9e807bcea98b8e7097f221ebbeb560b63f4df5c7

  • \Windows\Temp\System.exe

    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

  • memory/2012-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

    Filesize

    9.6MB

  • memory/2012-13-0x0000000000790000-0x00000000007A0000-memory.dmp

    Filesize

    64KB

  • memory/2012-17-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

    Filesize

    9.6MB

  • memory/2012-0-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

    Filesize

    4KB

  • memory/2260-105-0x0000000074812000-0x0000000074814000-memory.dmp

    Filesize

    8KB

  • memory/2260-11-0x0000000000C30000-0x0000000000C70000-memory.dmp

    Filesize

    256KB

  • memory/2260-12-0x0000000074812000-0x0000000074814000-memory.dmp

    Filesize

    8KB

  • memory/2260-14-0x0000000074810000-0x0000000074DBB000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-16-0x0000000074810000-0x0000000074DBB000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-142-0x0000000074810000-0x0000000074DBB000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-106-0x0000000074810000-0x0000000074DBB000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-104-0x0000000000C30000-0x0000000000C70000-memory.dmp

    Filesize

    256KB

  • memory/2620-108-0x000007FEFAF30000-0x000007FEFAF64000-memory.dmp

    Filesize

    208KB

  • memory/2620-122-0x000007FEF5020000-0x000007FEF5031000-memory.dmp

    Filesize

    68KB

  • memory/2620-139-0x000007FEF4540000-0x000007FEF4597000-memory.dmp

    Filesize

    348KB

  • memory/2620-140-0x000007FEF4510000-0x000007FEF4538000-memory.dmp

    Filesize

    160KB

  • memory/2620-138-0x000007FEF4C60000-0x000007FEF4D25000-memory.dmp

    Filesize

    788KB

  • memory/2620-136-0x000007FEF4D50000-0x000007FEF4D63000-memory.dmp

    Filesize

    76KB

  • memory/2620-137-0x000007FEF4D30000-0x000007FEF4D41000-memory.dmp

    Filesize

    68KB

  • memory/2620-107-0x000000013FA80000-0x000000013FB78000-memory.dmp

    Filesize

    992KB

  • memory/2620-135-0x000007FEF4D70000-0x000007FEF4D9F000-memory.dmp

    Filesize

    188KB

  • memory/2620-110-0x000007FEFAC40000-0x000007FEFAC58000-memory.dmp

    Filesize

    96KB

  • memory/2620-111-0x000007FEFAC20000-0x000007FEFAC37000-memory.dmp

    Filesize

    92KB

  • memory/2620-109-0x000007FEF6300000-0x000007FEF65B6000-memory.dmp

    Filesize

    2.7MB

  • memory/2620-112-0x000007FEFAC00000-0x000007FEFAC11000-memory.dmp

    Filesize

    68KB

  • memory/2620-113-0x000007FEFA9B0000-0x000007FEFA9C7000-memory.dmp

    Filesize

    92KB

  • memory/2620-114-0x000007FEF7870000-0x000007FEF7881000-memory.dmp

    Filesize

    68KB

  • memory/2620-115-0x000007FEF7850000-0x000007FEF786D000-memory.dmp

    Filesize

    116KB

  • memory/2620-116-0x000007FEF7830000-0x000007FEF7841000-memory.dmp

    Filesize

    68KB

  • memory/2620-117-0x000007FEF60F0000-0x000007FEF62FB000-memory.dmp

    Filesize

    2.0MB

  • memory/2620-118-0x000007FEF6CD0000-0x000007FEF6D11000-memory.dmp

    Filesize

    260KB

  • memory/2620-120-0x000007FEF6CA0000-0x000007FEF6CC1000-memory.dmp

    Filesize

    132KB

  • memory/2620-121-0x000007FEF6850000-0x000007FEF6868000-memory.dmp

    Filesize

    96KB

  • memory/2620-134-0x000007FEF4DA0000-0x000007FEF4DF7000-memory.dmp

    Filesize

    348KB

  • memory/2620-123-0x000007FEF5000000-0x000007FEF5011000-memory.dmp

    Filesize

    68KB

  • memory/2620-119-0x000007FEF5040000-0x000007FEF60F0000-memory.dmp

    Filesize

    16.7MB

  • memory/2620-124-0x000007FEF4FE0000-0x000007FEF4FF1000-memory.dmp

    Filesize

    68KB

  • memory/2620-125-0x000007FEF4FC0000-0x000007FEF4FDB000-memory.dmp

    Filesize

    108KB

  • memory/2620-126-0x000007FEF4FA0000-0x000007FEF4FB1000-memory.dmp

    Filesize

    68KB

  • memory/2620-127-0x000007FEF4F80000-0x000007FEF4F98000-memory.dmp

    Filesize

    96KB

  • memory/2620-128-0x000007FEF4F50000-0x000007FEF4F80000-memory.dmp

    Filesize

    192KB

  • memory/2620-129-0x000007FEF4EE0000-0x000007FEF4F47000-memory.dmp

    Filesize

    412KB

  • memory/2620-130-0x000007FEF4E60000-0x000007FEF4EDC000-memory.dmp

    Filesize

    496KB

  • memory/2620-131-0x000007FEF4E40000-0x000007FEF4E51000-memory.dmp

    Filesize

    68KB

  • memory/2620-132-0x000007FEF4E20000-0x000007FEF4E38000-memory.dmp

    Filesize

    96KB

  • memory/2620-133-0x000007FEF4E00000-0x000007FEF4E11000-memory.dmp

    Filesize

    68KB

  • memory/3048-72-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3048-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3048-78-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3048-76-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3048-74-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3048-84-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3048-85-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3048-81-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB