Overview

overview

10

Static

static

10

njRAT-RED-V12.exe

windows7-x64

10

njRAT-RED-V12.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1799s
  • max time network
    1800s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    njRAT-RED-V12.exe

  • Size

    27KB

  • MD5

    6bafe0541bffb68e63ef17c551258ac6

  • SHA1

    804366c8260b1fd73ed84e4a5a65c159aa8def05

  • SHA256

    0a2b53b63e489324c13eb75d7543a4e10755ae341522e1e795230c1eeffe8bff

  • SHA512

    9d3ef0651f79b590aa8a334daf4bcbba079052b7c38717b3bf0b5e67ebecee91757039d08697c86b197f2518314e5bd2f1a459b8b9c7e12cd3a11b0e08836409

  • SSDEEP

    384:ILZxZ3ZfjHnGgk8QgLLwv6mxEP9AOWIMNAQk93vmhm7UMKmIEecKdbXTzm9bVhcF:2931jHGqghNA/vMHTi9bD

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\njRAT-RED-V12.exe
    "C:\Users\Admin\AppData\Local\Temp\njRAT-RED-V12.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\Updater.exe
      "C:\Windows\Updater.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5888
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5880
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Windows\Updater.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:1904
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=944,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
    1⤵
      PID:1500
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3812,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:8
      1⤵
        PID:2584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
        Filesize

        1KB

        MD5

        535e7af4a92452eb36030af919f5452d

        SHA1

        8a2df10da262e9a8c14dc2dc45e601e65032b23a

        SHA256

        9790bc54c3927b25c28376f55851c54111af19a0019758ccf3b74c986a5989ac

        SHA512

        678fb1c9fbf575e54827d2872aea768257331c13d862b8f60253f7329a5d41df70bea2409ad5ff4acd4ab117ee82ebb515b0b2ff48fc776beab8398c2d0d4189

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
        Filesize

        1KB

        MD5

        c42ac0abd4dc7de84037ac38260e8d3d

        SHA1

        d7e4d0b8d8cdcc5ed6cd0791604a98b682dd466c

        SHA256

        83028a556c575d7b1eaaf295927233a4e191a79d406a6fec4bfcec9cfe4ec887

        SHA512

        bd5b1cc781747c03665cebcc38ef7ebed67e431f93220863d5e0b5392676b270b16fa2473c9d7645daca33d1f746935d92dd4aaa2c2927796147816c3d132e5e

        Download Submit

      • C:\Windows\Updater.exe
        Filesize

        27KB

        MD5

        6bafe0541bffb68e63ef17c551258ac6

        SHA1

        804366c8260b1fd73ed84e4a5a65c159aa8def05

        SHA256

        0a2b53b63e489324c13eb75d7543a4e10755ae341522e1e795230c1eeffe8bff

        SHA512

        9d3ef0651f79b590aa8a334daf4bcbba079052b7c38717b3bf0b5e67ebecee91757039d08697c86b197f2518314e5bd2f1a459b8b9c7e12cd3a11b0e08836409

        Download Submit

      • memory/1656-17-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1656-24-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1656-19-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1656-18-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1700-5-0x0000000075432000-0x0000000075433000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1700-16-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1700-6-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1700-0-0x0000000075432000-0x0000000075433000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1700-2-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1700-1-0x0000000075430000-0x00000000759E1000-memory.dmp

        Filesize

        5.7MB

        Download