Overview

overview

10

Static

static

3

de07b53ebe...f1.exe

windows7-x64

10

de07b53ebe...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de07b53ebefb0b2f51f956664de486a9a078a6997c0508e6b9eb41d7c4c265f1.exe

  • Size

    538KB

  • MD5

    2a26d4514305fcb4bc2af3deb844b68d

  • SHA1

    68880c892211548fb691876960683fa90a4173de

  • SHA256

    de07b53ebefb0b2f51f956664de486a9a078a6997c0508e6b9eb41d7c4c265f1

  • SHA512

    8430b12fa09d691e60ebf51168e95fcd16ec750e43e293b5bf45569ceac3e665e1354e0aeb8742e59769bd9a1ca494f2f9ef83d3224d9e54d3b9ca3fb3a2eb0f

  • SSDEEP

    12288:thrO5q5qRbfdltGbr6IaRP+Tu+zLC54MV9:QqgRbdyxaRPWzLCe89

Score
10/10
njratnyan catdiscoveryexecutiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

ronymahmoud.casacam.net:5050

Mutex

8f1e01fb78d64f28

Attributes
  • reg_key

    8f1e01fb78d64f28

  • splitter

    @!#&^%$

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de07b53ebefb0b2f51f956664de486a9a078a6997c0508e6b9eb41d7c4c265f1.exe
    "C:\Users\Admin\AppData\Local\Temp\de07b53ebefb0b2f51f956664de486a9a078a6997c0508e6b9eb41d7c4c265f1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\de07b53ebefb0b2f51f956664de486a9a078a6997c0508e6b9eb41d7c4c265f1.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oJFNpRAYB.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJFNpRAYB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3756.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3756.tmp
    Filesize

    1KB

    MD5

    3d07b87e2a20f492c5627049d97a0bc9

    SHA1

    6edc908ef2b5d9ae84a9077c8a4068a8e9a9f4f1

    SHA256

    0e9bd725decc2372ccfba82087f915180e8e834d058e6752bf2566a7942fb49c

    SHA512

    dcededdf825722092dd0dcee12813dc126c931eba26a93c418ac36bab5bf682c0f155d2de905ef6d694ea22763cdb2e4078f5438dd7c948c7e9fdb621bdc17d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KX1OZKDEH5VJGVIG8UUO.temp
    Filesize

    7KB

    MD5

    8e37d186d1ab7257403e63769e10d02b

    SHA1

    e8e689c3220f5d7ce9ab37b8584014df02029e75

    SHA256

    8e93e95038eaa5f50d5400d3f949d977c07d9f4c1b1c27c602fb0bf5d2a07e71

    SHA512

    4d4cea0477dcd79280c3b56d0ea6d734673e796bd2d405baa519bbfa80c1d0754b4de360a91e54332b05d6e45cf599bf88d9bcff0db8101066f93c3415b773dd

    Download Submit

  • memory/1072-4-0x000000007421E000-0x000000007421F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1072-31-0x0000000074210000-0x00000000748FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1072-0-0x000000007421E000-0x000000007421F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1072-5-0x0000000074210000-0x00000000748FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1072-6-0x0000000004210000-0x0000000004260000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1072-2-0x0000000074210000-0x00000000748FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1072-1-0x00000000000E0000-0x000000000016C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1072-3-0x0000000000560000-0x0000000000570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2824-19-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2824-29-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2824-28-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2824-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-25-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2824-23-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2824-21-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2824-30-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download