Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 18:36

General

  • Target

    crack.exe

  • Size

    7.9MB

  • MD5

    5c176f78c411c199ca2ec02c5b402810

  • SHA1

    a268ccc95b620b1078602c6d6d3447ff3d8874ed

  • SHA256

    8287887f1bf68c8328323d6d2ff0c28e94d43f5668c78dd33f2f0ca651c21338

  • SHA512

    ae33004a339422c90f9ea52111804c323499b9cc516584cc54545245c6a8022d80c92ac206ba30dfa07acc932f8ab792164acd1eaff2670092c4a84fd1f88554

  • SSDEEP

    196608:kivKUcQItzA1HeT39Iigwh1ncKOVVtk7KsUnijQFv4F:HDcvC1+TtIiFv0VQhgW/

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

7cpanel.hackcrack.io:46143

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\crack.exe
    "C:\Users\Admin\AppData\Local\Temp\crack.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1672
            • C:\Windows\system32\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:824
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2456
    • C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe
      "C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe
        "C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    375KB

    MD5

    8e4f8329f0837d6a3801dd96973a05fe

    SHA1

    7309226e370a33000c08653504f2ac5786944b2b

    SHA256

    0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

    SHA512

    9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

  • C:\Users\Admin\AppData\Local\Temp\_MEI21762\python312.dll

    Filesize

    6.6MB

    MD5

    d521654d889666a0bc753320f071ef60

    SHA1

    5fd9b90c5d0527e53c199f94bad540c1e0985db6

    SHA256

    21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

    SHA512

    7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

    Filesize

    355KB

    MD5

    c8d3f1f2d0fb683a5a378f734bd2ef85

    SHA1

    10b9e8b4a3f9ce416b360751e031b85345e6d461

    SHA256

    a3f037fb54904ef8b1d53e587036c18c6d32bb10a3044d57f9b9eb3aa8dab1c5

    SHA512

    43badeacbf59ff4e7f1d0e19a622b935567c196cb63ac50df687167c67cd881fc372230111137ce9adb1b794c6b0828adceb156c5d6a45e49d658f793aa19ee1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

    Filesize

    252KB

    MD5

    e5d01a5a8cc5c5ca9a5329459814c91a

    SHA1

    00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

    SHA256

    612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

    SHA512

    2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

  • \Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe

    Filesize

    7.4MB

    MD5

    e3e2fad51a4d21b9632fda09172195fc

    SHA1

    b878a6f45b40e99f0d8bce2e34d87e0a9718cce1

    SHA256

    cb390e5d5db3e7812632d3d0b7b1aabf93d3637c2c5fd680dc9efcabcdab7a6f

    SHA512

    89f6c1e836bb8dfac4715128f1b31fdd0d301b943a07b9795321e7b79a48d705fd2adc4e2a48a38b4b3379b861eea788684753da347bbf190bbd98d7a1a0a140

  • memory/1596-0-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

    Filesize

    4KB

  • memory/1596-1-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

  • memory/1596-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

  • memory/1596-24-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2420-75-0x0000000000590000-0x000000000059C000-memory.dmp

    Filesize

    48KB

  • memory/2456-20-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2456-28-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB