Overview

overview

10

Static

static

7

Site Hunte...er.exe

windows7-x64

10

Site Hunte...er.exe

windows10-2004-x64

10

Resubmissions

07-10-2024 06:34

241007-hb9qja1djk 10

05-05-2023 20:23

230505-y54pdaeg8y 8

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Site Hunter Pro By X-Splinter.exe

  • Size

    744KB

  • MD5

    9a450a05657ce80e73171556154adb60

  • SHA1

    9db02ebf6b851397ab6d43d4c79d3785987a56b1

  • SHA256

    16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee

  • SHA512

    c75444be53b8b55d6634ed8c632b78b523bff5b0ad1eb9171fce65778c6444a7728c11b4137bb397a75f0df635d80083aea380d9708b04a5bf97d0c40965f208

  • SSDEEP

    12288:prBjpOUREzLw2f1WrG8HXXQGa3INlTVlRGvk4qOV7l:prBj0+EzLwW1T8HQ93IlTtO

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

3cpanel.hackcrack.io:61448

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe
    "C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\system32\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2964
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      PID:2456
    • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
      "C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2476
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2904

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      Filesize

      477KB

      MD5

      0e6c9432cba1614fccc232f201028c72

      SHA1

      6082cf9489faa785c066195f108548e705a6d407

      SHA256

      c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

      SHA512

      c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
      Filesize

      250KB

      MD5

      2552f20645b607660b68b578f809491a

      SHA1

      358c95c27218925f2a9b3558995129e06ff65ae5

      SHA256

      f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

      SHA512

      2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      Filesize

      358KB

      MD5

      e497ea1ca168098308f219189d634f5f

      SHA1

      634efc083024034d2df19478153df518f6b10bc4

      SHA256

      f20c0d9d46cab72ec02952c078e2a4b259c71103e31607613f1b1ff0064bda15

      SHA512

      49ac4baff98a4d5e770aab19dcc738ee9e14716b12caecbe067861013997f7e90d4783fe8a67ad50a9b30e157ff0ec46cf1e6880c37d59103e6095d66e47dafa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
      Filesize

      339KB

      MD5

      301e8d9a2445dd999ce816c17d8dbbb3

      SHA1

      b91163babeb738bd4d0f577ac764cee17fffe564

      SHA256

      2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

      SHA512

      4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

      Download Submit

    • memory/1268-48-0x0000000002000000-0x000000000200C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2296-18-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2296-15-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2296-19-0x0000000000270000-0x000000000029C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2296-34-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2476-35-0x0000000000B90000-0x0000000000BD8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2596-3-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2596-20-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2596-0-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2596-2-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2660-33-0x0000000000170000-0x0000000000178000-memory.dmp

      Filesize

      32KB

      Download