Overview

overview

10

Static

static

10

e02e5802ba...bN.exe

windows7-x64

10

e02e5802ba...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe

  • Size

    9.2MB

  • MD5

    b6abda2d4b24cef28f9c2b62731fcfd0

  • SHA1

    fdf3ae0bec83c2ec7d4e2883fc770e553b782a3d

  • SHA256

    e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252b

  • SHA512

    7e0f0835f7ce0d5fddfcd785ece05aff91f87fd6b95fce1b73c3464102af644a8e500338f5f1e75c648ee2b666089ab19350932a990f3cb9b2009bbcbfd721c2

  • SSDEEP

    196608:z6/u1LqqyReuuQt8k9BAXbdV9qWLk/YrNcONQl4Ik+B8I4GA81G+LNaK:z6/58EBOXQ/YrN+l4IY5G19a

Score
10/10
njratdefense_evasiondiscoveryevasionpersistenceprivilege_escalationthemidatrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • NTFS ADS 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe
    "C:\Users\Admin\AppData\Local\Temp\e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe
      "C:\Users\Admin\AppData\Local\Temp\e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Users\Admin\AppData\Local\Temp\Server.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "attrib +h C:\Users\Admin\AppData\Local\Temp\putty.exe"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Users\Admin\AppData\Local\Temp\putty.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3300
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "START C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          C:\Users\Admin\AppData\Local\Temp\Server.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "START C:\Users\Admin\AppData\Local\Temp\putty.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Users\Admin\AppData\Local\Temp\putty.exe
          C:\Users\Admin\AppData\Local\Temp\putty.exe
          4⤵
          • Executes dropped EXE
          PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    267KB

    MD5

    6a27d11412a75a267fa8b6208b86fa0b

    SHA1

    c12d83c31e03a6289be4f925ab7489b64c659562

    SHA256

    1e1b0beef21753936ababac850d3841cb5c48baf7a232823745616fa9cb4d33d

    SHA512

    8f03b47a4dc33cfce47c008c149aefa55103a9ec48eaf167b02c656f7f3023a437eef948713746a086d4537e9bd0c842a1e17e80439cce490f9a0d921b616fb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\VCRUNTIME140.dll
    Filesize

    84KB

    MD5

    ae96651cfbd18991d186a029cbecb30c

    SHA1

    18df8af1022b5cb188e3ee98ac5b4da24ac9c526

    SHA256

    1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

    SHA512

    42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\_bz2.pyd
    Filesize

    71KB

    MD5

    055cfc5297933c338d8c04fd4e2462a2

    SHA1

    bf8f97ee8136bfe3f93485e946f2069b7ce504e0

    SHA256

    befc81440bbc001bd7647aca42962ee0b45b08435ee9f7140bf570af636b7dd5

    SHA512

    308ebb33c47b73ecd9c4e4e54ffd09aae5a96019559ef7b2a37a45bd89c42d0d5bdd21da1835fffd84a138b03662c3d68bd72725a22f1b0ddf0329438819ead7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\_hashlib.pyd
    Filesize

    31KB

    MD5

    1280a084744ef726a673b757b9364335

    SHA1

    203a83aee00f6dca7b5cf16f5d140ff5fb888bbe

    SHA256

    c2b3dc92abd96485032d1287941e405d56df05fb5ba68199497d8594400163e5

    SHA512

    637aa79bcfe2ac3f75319a4be3ee4e32769a52cf939a26564a73807b40e96328fd1e9b58e70abb0b4c204c77baeb61a5150f5ebc47a7262a9c520867f69f6075

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\_lzma.pyd
    Filesize

    181KB

    MD5

    d72665ea18965f103200ccc7ad072f85

    SHA1

    2b89543cd8bd1aa20e0d3150a3c394b90be0d204

    SHA256

    ab20e63d14259a7deca85a068796476c0efcc236a11d53b1816fc6f8956424a8

    SHA512

    aad0bcbeabaa50b1fdba4cf70fe281f58b62a81b680cc16ef7f238263625fc7bed9ae9321a7bf7010fe7b5bb28708bdfaa0138c4f35a52be6aaba71d03aaa3dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\base_library.zip
    Filesize

    994KB

    MD5

    367be1ed9ff5808692dc9f23874eb220

    SHA1

    286aa3ef347fc32a49557394240a8f69f8839a32

    SHA256

    c4e301bd9c72446e390a3ad6b007e140cf800e3752bcb830054b8940691eb8fe

    SHA512

    ae16b28603831d0dbe6ea73f59d7ac04acc3823fb4dc6ce24be072a6aa606af66afdab4e32c529cdb994fbb2ad34d394b31383c8744d0e39294a77f5f9bb7032

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\libcrypto-1_1.dll
    Filesize

    1.8MB

    MD5

    25c9d6fa8bf1222e82a37ef982f418d2

    SHA1

    e4bed3d1e76a58fc0119b7a2e70a998ca9ea7202

    SHA256

    3f70a63aacc024c4cd599ff1e12bf5b685719cf2b92c4420fd20ab032c9c898c

    SHA512

    2d6daf0e16971f9a6c1153bd67ff7fe2b1dbdeb5d05ea743cae231b85c9a27c4ee365f9c2141ea30a1edc9ebb32aa8a103b4949b5a0d9d031ad30acb2e9c60e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\python37.dll
    Filesize

    3.5MB

    MD5

    198dc945fa3a7215c2aa90bd296025b4

    SHA1

    ce991e920755d775d99ab91f40124f0aad92863d

    SHA256

    20cd780cf1e90778799e749812b00b1865938ef8990cd9bf2c1630787c6181c9

    SHA512

    a880aa55740e635e3fbd32b8128572b92f379913d405f3baf4e9ec67891ac3dd77dbed85074a958c89093ca378dac95733287a45ca89c75029a61ecde058c955

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\putty.exe
    Filesize

    1.6MB

    MD5

    5efef6cc9cd24baeeed71c1107fc32df

    SHA1

    3cfc9764083154f682a38831c8229e3e29cbe3ef

    SHA256

    e61b8f44ab92cf0f9cb1101347967d31e1839979142a4114a7dd02aa237ba021

    SHA512

    cecd98f0e238d7387b44838251b795bb95e85ec8d35242fc24532ba21929759685205133923268bf8bc0e2ded37db7d88ecbe2b692d2be6f09c6d92a57d1fdac

    Download Submit

  • memory/1504-38-0x0000000000400000-0x0000000000864000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1504-0-0x0000000000400000-0x0000000000864000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/3800-31-0x0000000000400000-0x0000000000864000-memory.dmp

    Filesize

    4.4MB

    Download