Overview

overview

10

Static

static

10

13131312.exe

windows7-x64

10

13131312.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13131312.exe

  • Size

    55KB

  • MD5

    7f885e0b86bfd37c17867214b74c600a

  • SHA1

    476e1749121846a34eff66c2714d01ff3cf18593

  • SHA256

    0e598feb9643475cd6209f510b9bdd33080188752734f5e8403aa5e946f6b841

  • SHA512

    00799f581f42173a2e10e9fdd4f8ba83922bbe8b8e264539405a78eef146c3c8f8f09ac2fdbb6380d2574232b749e902469bbdc62af89d62d4416de506f75499

  • SSDEEP

    1536:6RYADnG5N3HSdfd7EDuwsNMDdXExI3pmTm:NADn0ydtEDuwsNMDdXExI3pm

Score
10/10
njratdiscoverypersistencetrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 13 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13131312.exe
    "C:\Users\Admin\AppData\Local\Temp\13131312.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Local\Temp\13131312.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1372
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Chrome.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Chrome.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Firefox.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Firefox.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Chromium.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Chromium.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Opera.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Opera.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im OperaGX.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im OperaGX.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im MsEdge.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im MsEdge.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Safari.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1536
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Safari.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Brave.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:972
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Brave.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Iridium.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2144
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Iridium.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1200
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Dissenter.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1720
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Dissenter.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im PaleMoon.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1580
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im PaleMoon.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Vivaldi.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2504
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Vivaldi.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im iExplore.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2024
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im iExplore.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1F8575FE-FA8E-4911-904D-646406CF5FA9} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\13131312.exe
      C:\Users\Admin\AppData\Local\Temp\13131312.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2512
    • C:\Users\Admin\AppData\Local\Temp\13131312.exe
      C:\Users\Admin\AppData\Local\Temp\13131312.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3012
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2328
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5d8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1180
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    28479a3fde72936acc6eb752346275f8

    SHA1

    5e89c0ad1c402fde8aa3710524c1ae8d6825292a

    SHA256

    eae5b90b815d9a94abe5c8cfd2de3badf45ee95497b3b48cabdac1af954ce874

    SHA512

    c1284bb5644102b03cb5d9715628d7af3e5d46b12ffac70ee7218aa5b2d8f58c5f96917390642562d72e7b974dc50eab5217e024a0044646e2c0d49280fdf9a0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a016c31e72fa512439a5a8ef12fc543c

    SHA1

    d30ab58d692bbd740990f3a2f948e69153f770d3

    SHA256

    0b76b1b47e5e852ce6b101a8131a313960fbfb495a1198eee3daaa3b47e235a3

    SHA512

    39b8a34d2135f8e76adafd7070d1a60643a9b7f986705aa938c035a187ea41ada76023cd565fb25d66d04a3b591620e78b03c14a3b7f5b09d0bbb69c4c581fba

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5ea997b0ed70e57810b7394f9aa9002b

    SHA1

    4ce43bfc1d410757e257573173bdc6eba10f1789

    SHA256

    85425cd630f0a53dcdb700c2e96608a519de23a428a7a32ceff21cbebaebc3fd

    SHA512

    c7bc459742bb519af1193a225983784a8d60949f72ac0aaa9c493ea65f90ae61a2cdbfde5308d12e4ecb06543c2457fd1d0bebeca60192325e8b7202dbf10e01

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0912a032a81a5570715262c0f449e43c

    SHA1

    c2b4f42c58634db60193c81d338d0ef6df9f1a0a

    SHA256

    2db87774beeed30f578424daf1c144925d5630876a1271f5736cda92dac1657c

    SHA512

    7d77f56c13e7ea0a9702303e857a3654dc455dab2e950767abc40cde73b67a022fae91815661436d20bfc391e5a5bdd5f4f6a21b50445b2301f43b20b4815fbf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    03ab627f155c23c606d566e0b73575f2

    SHA1

    695d8f8a4d83ed038214c73024f2bc6a0bec839c

    SHA256

    0964a4474006c636606a35e2b0adcd44a04f1b3d2938ca20887337b35b0207cc

    SHA512

    8d71e64d2d5f6163713d28487a1a338d5a2f7e52fb0463f9d9cc7b181209ba0c8256dbdf0626b38aba460cfa807230089d7d648eff77da7f103afab2c51ed6f3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    754abc753567ec3f30d439de15c9927e

    SHA1

    fcec5092318f0464f75d4d5cda15f37b942645de

    SHA256

    41c97bff160decefe725dca0eea123d0baee6302a37c1cec7eab2c0292b06115

    SHA512

    a73f7a7a4ee54ae81389f5a21d5bb047e1fb535f53a708dad2dd6b4a6a5aeeef04f08c6673f4ab6cd8f86a6172f60926275c020d8d2bf0dcd822fbe978148c6a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0bf95a923e85f6876a76af4dc0b6eeb8

    SHA1

    65dc729489b85ec4f86a1de5597e2623ef91b6f1

    SHA256

    0644b6a5740887ce284e893f39c4e0c49deb206a6aeae2816d99ee79ac5d66c1

    SHA512

    41697e6b58e9e041a936320e0134f90aff4a676eb21e7be5224ec8b98e191999a0154e69641a06dfe386183d45e7abe42ab9b90797fe0b248442381041b2bb03

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    79e5eb5ee4a81d8863e9b82c56f34568

    SHA1

    ff31a84882d266b1c6f47d0c4c14bb5a2c81d0b7

    SHA256

    ed79d3599301a8f7dc7489efd9a71eab7f12e6f0ae96fbc93c8a262d091123e2

    SHA512

    9b904f901aadf93015f88806a14a74e2c36a9a64ba16640350148ddefdb3697f349c6b6ce202183070cb5ca27c56cefc815385cd9e58e265c9fe71ee4c782b83

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4e05a7c5d6c7ab1589e0a57e7eac60a0

    SHA1

    91c8399e185c771948bdc150bf6556f91774f346

    SHA256

    06ee8cb8cf11c7ee01acdd8759e089bc3f459551364135685a16aef52bda3528

    SHA512

    213a3415fad239bc453eecc85a57d4c76163611df41c71b5a70a7a562d6df6137afe7d5886595d47e49b853cce98cded16e3582e52eb68fc9d060344c991f31e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ec019c7f8f4fc8d1d3f981f265ff6b8d

    SHA1

    ffd101125db426914f0ba95423e9597bda48c553

    SHA256

    e3ddfd5eecd118c61f408dc942802e381e891fda21a333cb4ed624a7386fa3c5

    SHA512

    22fb8074815f44a3760fb52eb1ee82846bca164377170fb5f28eb9ea1204f147e33e2985b4c09fe365890b8c23e1e5a56641f1842f253ca689f5e8022e33b40d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b266f1522ba15c867d53f3cd0e0385f7

    SHA1

    1b7ee6aba6317631b5c7c7b2b580341b9160725b

    SHA256

    463bcb22e1470a45e60edf6a8d98ae93a3e71ee5095fc3ab729f2dea02db8b38

    SHA512

    13599391b5846d4615358754a6e153d8588729fa3e960d1e0013daab423e2605821c1ef0c74408c87076132530af931ece7fa1c6ae68b12015362cc41f3340e9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0c1a142dc7594289667f1a3294bc47f1

    SHA1

    5b4d297e7c81f16e59837f968024f3118afd06d6

    SHA256

    d5d04c62e819c85715f418ddd5d3c62652ff6724a88a6d45bb8b2715831c770e

    SHA512

    0afce2240b3467fa82177cd699e7e3893ad6a8675e6d6206e5f0a7d8694cf9e5ba569c86fba5ea56e65d87e6138a7b6a7e6e72283bab6d4820ef98b28bc77c45

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lutsxto\imagestore.dat
    Filesize

    5KB

    MD5

    a81241db7d666f936c0c9f135e1bb76a

    SHA1

    b55407063955c00c86fe609269304dd6d911e151

    SHA256

    94de5d60dafa6e0d78153b7172e4f4ccbd2eb1abfe0600012fe7807ea371e56b

    SHA512

    95f7a1b5db850bd0f4fd5993470025faa6e68812354c76c21aa2d67c7f500a8330824682b4793480877530a83caa5facda454c46f81093c19a94b9743bb5911d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\favicon[1].ico
    Filesize

    5KB

    MD5

    f3418a443e7d841097c714d69ec4bcb8

    SHA1

    49263695f6b0cdd72f45cf1b775e660fdc36c606

    SHA256

    6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

    SHA512

    82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab734.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar745.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/2372-0-0x0000000074581000-0x0000000074582000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-6-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-5-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-4-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2372-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-9-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-8-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-7-0x0000000074580000-0x0000000074B2B000-memory.dmp

    Filesize

    5.7MB

    Download