Overview

overview

10

Static

static

3

SilverBullet.exe

windows7-x64

10

SilverBullet.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SilverBullet.exe

  • Size

    2.7MB

  • MD5

    63c99c74fa1f1a9174d8f3013c5a870e

  • SHA1

    4195ef425ca71b31470f3764bce11f8e17f1b992

  • SHA256

    fcbef3a6102e83dad9c7b699cbc37156cd6e0646680628a069cc167052c927b5

  • SHA512

    5c74ab8e25a6e60b529cb2ad73db107f5366a198b3721d2054603af458e8aec4d64c0389c1e01d6238ec46a033ac26916e3f3fd85f6806d6e7144231118a4676

  • SSDEEP

    24576:nzJhZPEDTvlUx71jUhK/DEgOKSvh1TfFIH9gYRRcY+32oQRLwDQF4eaE2cZPeAgq:nsTt0jUiwg30h/7DQB/FOLDQB2zOQB

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

9cpanel.hackcrack.io:3489

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverBullet.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverBullet.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\system32\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2948
    • C:\Users\Admin\AppData\Local\Temp\SilverBullet .exe
      "C:\Users\Admin\AppData\Local\Temp\SilverBullet .exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 664
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    461KB

    MD5

    ee76425b767c9ab812a53c133b8363f8

    SHA1

    1daa4700a5f1849eb7e810986ac24bd58786da61

    SHA256

    f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747

    SHA512

    004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SilverBullet .exe
    Filesize

    2.2MB

    MD5

    0267076b75cdcfa7ea98aba0bf033aee

    SHA1

    e168f887d26f0f752ef9e28ffc154b9afc1f1783

    SHA256

    9f160d80765337c3609242b9d0bd4d16856e1d57a7c2ff55ce8b00b45e5bea81

    SHA512

    18899a1b90a85ef2adbc71224d51ae51ea7e87662f71ff498734cf8a267aafd1c265bdb5a78b78437168f825ff28d894420ffdeb6af1653d150740b93d487122

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    357KB

    MD5

    cff755ff758e9e71d0af34017a8e9d8e

    SHA1

    8d401767360e61261cee79a18e061d9a0dc95724

    SHA256

    c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2

    SHA512

    a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    325KB

    MD5

    f36e535fdc82208fca08acfa44f790c6

    SHA1

    a3cc1aa7d614094faebada2aed1e6c519bd18c94

    SHA256

    51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc

    SHA512

    631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

    Download Submit

  • memory/2168-1-0x0000000000840000-0x0000000000AFE000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2168-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-32-0x00000000003A0000-0x00000000003F6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2220-33-0x0000000000430000-0x0000000000438000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2424-17-0x0000000000350000-0x000000000037A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2580-26-0x0000000000920000-0x0000000000B5E000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2696-31-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2696-9-0x00000000011F0000-0x0000000001268000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3000-49-0x0000000000190000-0x000000000019C000-memory.dmp

    Filesize

    48KB

    Download