Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-10-2024 08:23
General
-
Target
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
-
Size
37KB
-
MD5
0e78a49bf12394a06cf511f72d76c040
-
SHA1
6bac7cc2f03a22654151501a02570b41a9db4365
-
SHA256
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
-
SHA512
f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962
-
SSDEEP
384:ckaIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXV2:fFmV10b3+LCtCViVrM+rMRa8Nuzyt
Malware Config
Extracted
njrat
im523
Man
0.tcp.eu.ngrok.io:11347
658861a468f9c892637f296b375f895a
-
reg_key
658861a468f9c892637f296b375f895a
-
splitter
|'|'|
Signatures
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD50e78a49bf12394a06cf511f72d76c040
SHA16bac7cc2f03a22654151501a02570b41a9db4365
SHA256c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
SHA512f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB