Resubmissions

07-11-2024 16:29

241107-tzeqvawbpe 10

07-11-2024 06:54

241107-hpd6sazqap 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 06:54

General

  • Target

    61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe

  • Size

    1.4MB

  • MD5

    c58f3effb9efb892109332a676aae546

  • SHA1

    c1dced7e3e3b49f23cc0125589cc5b29d4055924

  • SHA256

    61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd

  • SHA512

    9c9329df603ad34b10437fc6313d61d273b603996a82f88e0d57af9e50ea86bb0cbb2134a3d4905b40fd73cd40222235739f4140cf4de19a3bea352af947adec

  • SSDEEP

    24576:a27mrhic6gvYbAKsy5Ulh3iXWl9557sK6X3ZO0GinMSvTNWfshnGmg/ykTPnewlm:anrhr/vAcWKv6X3o0GQN0s/g/ybDT

Malware Config

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
    "C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe
      "C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2076
      2⤵
      • Program crash
      PID:1712
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2912 -ip 2912
    1⤵
      PID:1708

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ipv4bot.whatismyipaddress.com
      61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
      Remote address:
      8.8.8.8:53
      Request
      ipv4bot.whatismyipaddress.com
      IN A
      Response
    • flag-us
      DNS
      17.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.tcp.ngrok.io
      server.exe
      Remote address:
      8.8.8.8:53
      Request
      8.tcp.ngrok.io
      IN A
      Response
      8.tcp.ngrok.io
      IN A
      13.58.157.220
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      69.208.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.208.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.tcp.ngrok.io
      server.exe
      Remote address:
      8.8.8.8:53
      Request
      8.tcp.ngrok.io
      IN A
      Response
      8.tcp.ngrok.io
      IN A
      13.58.157.220
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.tcp.ngrok.io
      server.exe
      Remote address:
      8.8.8.8:53
      Request
      8.tcp.ngrok.io
      IN A
      Response
      8.tcp.ngrok.io
      IN A
      13.58.157.220
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      260 B
      200 B
      5
      5
    • 13.58.157.220:12342
      8.tcp.ngrok.io
      server.exe
      104 B
      80 B
      2
      2
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      ipv4bot.whatismyipaddress.com
      dns
      61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
      75 B
      134 B
      1
      1

      DNS Request

      ipv4bot.whatismyipaddress.com

    • 8.8.8.8:53
      17.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      17.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      8.tcp.ngrok.io
      dns
      server.exe
      60 B
      76 B
      1
      1

      DNS Request

      8.tcp.ngrok.io

      DNS Response

      13.58.157.220

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      69.208.201.84.in-addr.arpa
      dns
      72 B
      132 B
      1
      1

      DNS Request

      69.208.201.84.in-addr.arpa

    • 8.8.8.8:53
      8.tcp.ngrok.io
      dns
      server.exe
      60 B
      76 B
      1
      1

      DNS Request

      8.tcp.ngrok.io

      DNS Response

      13.58.157.220

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      8.tcp.ngrok.io
      dns
      server.exe
      60 B
      76 B
      1
      1

      DNS Request

      8.tcp.ngrok.io

      DNS Response

      13.58.157.220

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe

      Filesize

      23KB

      MD5

      059302e210a714b3cebd8c6400d7d12e

      SHA1

      eed4e297cdffff9815bf456e4f237b699b33de6d

      SHA256

      7b49bca136184f784b52ca6499108288da623944a0a97eff19e3318364a0a999

      SHA512

      5ae9f86dc384be6d7acb085132846ef690d0e069f43837e8e9edb89558bfb8c3a5232e47332df10b79ee8df2e4e84c509386c5fbb9f8b5a7659ff8cacb1a4dcc

    • memory/2912-4-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2912-5-0x0000000009DC0000-0x0000000009E3C000-memory.dmp

      Filesize

      496KB

    • memory/2912-20-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2912-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

      Filesize

      4KB

    • memory/2912-1-0x0000000000990000-0x0000000000C32000-memory.dmp

      Filesize

      2.6MB

    • memory/2912-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2912-7-0x0000000005B00000-0x00000000060A4000-memory.dmp

      Filesize

      5.6MB

    • memory/2912-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2912-3-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2912-2-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/3676-17-0x0000000001450000-0x0000000001460000-memory.dmp

      Filesize

      64KB

    • memory/3676-19-0x000000006FFA0000-0x0000000070551000-memory.dmp

      Filesize

      5.7MB

    • memory/3676-18-0x000000006FFA2000-0x000000006FFA4000-memory.dmp

      Filesize

      8KB

    • memory/3676-30-0x000000006FFA0000-0x0000000070551000-memory.dmp

      Filesize

      5.7MB

    • memory/4532-31-0x000000006FFA0000-0x0000000070551000-memory.dmp

      Filesize

      5.7MB

    • memory/4532-32-0x000000006FFA0000-0x0000000070551000-memory.dmp

      Filesize

      5.7MB

    • memory/4532-33-0x000000006FFA0000-0x0000000070551000-memory.dmp

      Filesize

      5.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.