Overview

overview

10

Static

static

1

9A9E86899E...E0.exe

windows7-x64

10

9A9E86899E...E0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9A9E86899EB8F8279DFB72133BE528E0.exe

  • Size

    749KB

  • MD5

    9a9e86899eb8f8279dfb72133be528e0

  • SHA1

    e6d233b3382830ab3b8d130ff296be2bf7de72e3

  • SHA256

    ba5fae13322d5151dfb348ac1a2abc92d021617c154ef9d1e4efc70bf7fdf03b

  • SHA512

    6947b28b67edf868c644c1f5f527efe107169ceaa383e2236feb486914651def57bc92b9c525d025a665a84307df81e70b5f102e3d85a9c1fd33a1e7fc563f0e

  • SSDEEP

    12288:bcsCELA+12Hd5lpvS36pDfi/xN3xb2GzmtVzxWWx0GKl/yCQwEyC+oHRf4kzGhkR:5zmrzxWjGKl/WhOoxw0

Score
10/10
njrathackeddiscoveryexecutiontrojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

103.186.117.182:7788

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe
    "C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ftKGjgysboAao.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ftKGjgysboAao" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31F9.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe
      "C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe"
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp31F9.tmp
    Filesize

    1KB

    MD5

    0453d8e4b7c15c6a236fd0595b064f2e

    SHA1

    46ee41b3095349580e0280fe08f7ac95336754ba

    SHA256

    b06fadb4a741c37785fde7509ca1c7daa7eda41928562d864413245860d02b6f

    SHA512

    cb78ae0e3d1ad4d6fce34fa4cec9553ebe3ee08227f69d72cb64c136689dd6e94d768c781b5c9eb8742f51c72984cb91b0bcc55b7b9e002cf0fb5a7c935a8e66

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1RWXUKA57B3V1L8DFX61.temp
    Filesize

    7KB

    MD5

    b9eb1fcd8a4eaacb46a7d6266db0da33

    SHA1

    bd87964dda17ef23a55a6033fdd45a714057e5ce

    SHA256

    a93a64f1abc64bf17c7a69d74a09c45835643f3af18b04e1d374ffd8d0b07296

    SHA512

    948c3b85a967046750d2170d73e97ca2f7fd7ce0d2a3a3a8f1a1a202a90a807b1aece597fa3df0c4b86ec271cc90314fb8ac83eea319d99aec1346af2a7cc6f7

    Download Submit

  • memory/2324-4-0x000000007448E000-0x000000007448F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-32-0x0000000074480000-0x0000000074B6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2324-0-0x000000007448E000-0x000000007448F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-5-0x0000000074480000-0x0000000074B6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2324-6-0x0000000004390000-0x00000000043E2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2324-2-0x0000000074480000-0x0000000074B6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2324-1-0x0000000000A50000-0x0000000000B0E000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2324-3-0x0000000000320000-0x0000000000332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2836-19-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2836-30-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2836-29-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2836-28-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2836-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-25-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2836-23-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2836-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download