Overview

overview

10

Static

static

10

3c44cbb99c...1N.exe

windows7-x64

10

3c44cbb99c...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c44cbb99cc237c087e10c63fae5a7e8bb26c602241b0be79e9f984cdaba9781N.exe

  • Size

    43KB

  • MD5

    7b5539d4e33d06c87cc73b529af14380

  • SHA1

    d453ed2e3d34baf021af815ef512d990cc68d1a9

  • SHA256

    3c44cbb99cc237c087e10c63fae5a7e8bb26c602241b0be79e9f984cdaba9781

  • SHA512

    9e3a35be37590b323f3d1deb9921b8ec917986c396f89bdccc66fa2288a927544ca15c1ead5115f361f5d6fcf3bf10fda6f17824fd3cd89b4cfafe462221c673

  • SSDEEP

    384:76ZyA4D4olYxOoyi0I7wycuEN88FQPzgIij+ZsNO3PlpJKkkjh/TzF7pWni/greT:8fouIli0gwjL8awuXQ/on/+L+

Score
10/10
njrathackeddiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:5555

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c44cbb99cc237c087e10c63fae5a7e8bb26c602241b0be79e9f984cdaba9781N.exe
    "C:\Users\Admin\AppData\Local\Temp\3c44cbb99cc237c087e10c63fae5a7e8bb26c602241b0be79e9f984cdaba9781N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\Desktop\Server.exe
      "C:\Users\Admin\Desktop\Server.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Roaming\Dllhost.exe
        "C:\Users\Admin\AppData\Roaming\Dllhost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2572
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AB0F7D3C-F631-4FCE-939B-61F38659B681} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1688
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\Desktop\Server.exe
    Filesize

    43KB

    MD5

    1b46a5542b4758b914541297666f4673

    SHA1

    fea4e3965c2d046e906f15d552a993a2834264b5

    SHA256

    ece5d03a89a7039daacf406bc27fedfa90e25071e8810f07b6caeefac41a04e1

    SHA512

    0e07980e098f644c4a6adcfe348c3dcce99b6a22848a9e8506f691839869f465db2991573289aa4645c7c3b3640b966cf32c0e654ce084896a4de491a26f20d4

    Download Submit

  • memory/1688-23-0x0000000000AF0000-0x0000000000B02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-25-0x0000000000B80000-0x0000000000B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2300-7-0x000000007437E000-0x000000007437F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-8-0x0000000000C60000-0x0000000000C72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2300-9-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2300-18-0x0000000074370000-0x0000000074A5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2828-17-0x00000000012B0000-0x00000000012C2000-memory.dmp

    Filesize

    72KB

    Download