Overview

overview

10

Static

static

3

34f7f28ba0...a2.exe

windows7-x64

10

34f7f28ba0...a2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2.exe

  • Size

    523KB

  • MD5

    8303fbef6e3918300a97bdce8f902dac

  • SHA1

    a7aab55f0753fd4ab2961c21abd3eddf27acc8f2

  • SHA256

    34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2

  • SHA512

    f3e4dcf49b712e067af05eb34fe7d5c56c1b879da32e98cdae8f02a1cd60d3b2415c9723051129995e65dbd54a683a11f3079e47b1bd50a9e32941da426cea39

  • SSDEEP

    12288:dToPWBv/cpGrU3y/S9U7DzInZEiQIG/V/1WkRZ4p3nq6:dTbBv5rUQDzIntQIIF47

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

172.29.192.1:7733

Mutex

af8521d58cef2cc5d6031d0e5bd8a950

Attributes
  • reg_key

    af8521d58cef2cc5d6031d0e5bd8a950

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2.exe
    "C:\Users\Admin\AppData\Local\Temp\34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ip.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ServerGREENNER-2.sfx.exe
        ServerGREENNER-2.sfx.exe -p111
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\ServerGREENNER-2.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ServerGREENNER-2.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Users\Admin\AppData\Roaming\Opera Crash Reporter.exe
            "C:\Users\Admin\AppData\Roaming\Opera Crash Reporter.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Opera Crash Reporter.exe" "Opera Crash Reporter.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ip.bat
    Filesize

    30B

    MD5

    a7ec260030472a979dbb07422145fdd2

    SHA1

    ceb879e31942ba97bda3664debef48c97c1e92e1

    SHA256

    e548908fc514d728c288c437be5634e316f99db269445ee65960a12064ab21b8

    SHA512

    2f954b6eef741514a0a71cc77750cb547e7a77e12211f056ed9166b77d8185189cda45cd54ed26decebfeebbb2c4a08d35c0a52e45b8a3958834b973b92ac57a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\ServerGREENNER-2.sfx.exe
    Filesize

    363KB

    MD5

    7f16adf83b19a808ff3748060a71a823

    SHA1

    014a21803c0603aa7ff5c3ab8ad166867584bd9a

    SHA256

    b2dd4dbffe743a3520e5084b699f07c2b5bfb71d30c9c75e3e16bac65d20f708

    SHA512

    5aaf027b3bd3282771807047d30464e60fa3a1103658d3e6782b9225658563b2aa83ed4b26da27d18ed93499856ec6feb583c878c682dd6c41d37a3f7415ad0b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX1\ServerGREENNER-2.exe
    Filesize

    91KB

    MD5

    e559e1d5860f3558388db382a059f523

    SHA1

    6bd93e947a56fcf83c9858c21af8898e29b801ba

    SHA256

    e5404b532a4aa2e35a3481025b75972031dfda9194d22fcd932bfdff45cd4936

    SHA512

    c11795656fe0a9cfe161cf2fdd38688d00805fd50f98eae559408e74eeeba15af8de92330bd850615fd753db24fcbdb0fdf45a4ecd8bfccfca46b7a3125b7f3d

    Download Submit