Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 15:27

General

  • Target

    Server.exe

  • Size

    37KB

  • MD5

    952ea2d47e241b1a82eeb265457c5644

  • SHA1

    16048d925d1722c3a97bbbd0ab0dc05f169c1af7

  • SHA256

    c7a2ec6110cfa5ae4b53b2b854013459bcdba8fff179bf95e5b707a2e4b98427

  • SHA512

    9001eaa366acab6c0574912215d18d73ee944482a469243a0e40dc340a6523b4ce58ea0ed18f232eac8813477f5918c649353da0abd32c57fc3735721be407ad

  • SSDEEP

    384:Io66MizdTjnBhFbJ8ycP3h3hNwKaB0rAF+rMRTyN/0L+EcoinblneHQM3epzXaNg:36QTlLJfcP3hH9amrM+rMRa8NuQWt

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

cnet-contracting.gl.at.ply.gg:10206

Mutex

3eec6dad022c4e8fee29e905fa2de108

Attributes
  • reg_key

    3eec6dad022c4e8fee29e905fa2de108

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Celex
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Celex"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Celex

    Filesize

    37KB

    MD5

    952ea2d47e241b1a82eeb265457c5644

    SHA1

    16048d925d1722c3a97bbbd0ab0dc05f169c1af7

    SHA256

    c7a2ec6110cfa5ae4b53b2b854013459bcdba8fff179bf95e5b707a2e4b98427

    SHA512

    9001eaa366acab6c0574912215d18d73ee944482a469243a0e40dc340a6523b4ce58ea0ed18f232eac8813477f5918c649353da0abd32c57fc3735721be407ad

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    a30df1506369ba6e85dc91149a1d5fce

    SHA1

    2dcea877d948e39afc4ad7ba763b7e76acce49e7

    SHA256

    91e2f729add2eeaf90315d2e962b4d3b60f9c326ff0b3e581df809bee38f7793

    SHA512

    51bcc4cff77b372ec632c261678aba59c7a4f2d4a9c4d5c153dff1e882256009cf2054ee74266fdc1388ef4e7a1b688367d7feadbeb9b60b20088e6043f2dd17

  • memory/1764-0-0x0000000074571000-0x0000000074572000-memory.dmp

    Filesize

    4KB

  • memory/1764-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

    Filesize

    5.7MB

  • memory/1764-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

    Filesize

    5.7MB

  • memory/1764-5-0x0000000074570000-0x0000000074B1B000-memory.dmp

    Filesize

    5.7MB