Overview

overview

10

Static

static

1

9A9E86899E...E0.exe

windows7-x64

10

9A9E86899E...E0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9A9E86899EB8F8279DFB72133BE528E0.exe

  • Size

    749KB

  • MD5

    9a9e86899eb8f8279dfb72133be528e0

  • SHA1

    e6d233b3382830ab3b8d130ff296be2bf7de72e3

  • SHA256

    ba5fae13322d5151dfb348ac1a2abc92d021617c154ef9d1e4efc70bf7fdf03b

  • SHA512

    6947b28b67edf868c644c1f5f527efe107169ceaa383e2236feb486914651def57bc92b9c525d025a665a84307df81e70b5f102e3d85a9c1fd33a1e7fc563f0e

  • SSDEEP

    12288:bcsCELA+12Hd5lpvS36pDfi/xN3xb2GzmtVzxWWx0GKl/yCQwEyC+oHRf4kzGhkR:5zmrzxWjGKl/WhOoxw0

Score
10/10
njrathackeddiscoveryexecutiontrojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

103.186.117.182:7788

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe
    "C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ftKGjgysboAao.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ftKGjgysboAao" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE91.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2860
    • C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe
      "C:\Users\Admin\AppData\Local\Temp\9A9E86899EB8F8279DFB72133BE528E0.exe"
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE91.tmp
    Filesize

    1KB

    MD5

    be4bfa72d948690118b160f07c83b47e

    SHA1

    573f711de69742388d5db58e8d8992c5232d5eb4

    SHA256

    d8712ff673c28a116e9ace088887baffbd47ddbb28c1c061e917ee53ce63fcf7

    SHA512

    5126ca4d0fd9c88a806663f71d050df2d7d0c3a3037248812ff2a3ff654a7f0109e00e10fe32e91dd609d61b44d7c1772f88ddf11eb980fa1c6f02d622d0b76e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    407e050d1186f2f2ecf584ee9b6ceea3

    SHA1

    8188af5b53b1c8181b929e7fe827bfe4a9c7c88a

    SHA256

    86808c9285409196a25125f2f63eb3edb2295d2152183953280e6a7e8962c7a5

    SHA512

    e949e7fc3d815e62b96ececeb540661befc07545219800d3bf72fb8aa499e87921db38ea7a907d91c8c06d99b8c8df5bd5416c27699d705fd1b56677529e5d12

    Download Submit

  • memory/2092-4-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-31-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-0-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-5-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-6-0x0000000000DD0000-0x0000000000E22000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2092-2-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-1-0x0000000001050000-0x000000000110E000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2092-3-0x00000000001E0000-0x00000000001F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-19-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-23-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-28-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-25-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-30-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-29-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2684-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download