Overview

overview

10

Static

static

10

gg.zbb.exe

windows7-x64

10

gg.zbb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gg.zbb.exe

  • Size

    55KB

  • MD5

    4b9a28949b8be5e33c34872d5dc62633

  • SHA1

    fa053751d671a3872e4e310e92c1216759d86fdf

  • SHA256

    dc8061a31e03fedde9f20263ce68a9943a5063bebb7f431a75cddf88952c28b2

  • SHA512

    1456c4f1530c2c8fa18c6459a0a5c0761f5fc89458413a4cf5f436f0d98977ee77253cf7373ea15069322e813eaf168e9213e21897e6bdae6818111f1ac0f7c6

  • SSDEEP

    1536:YRksDnHNwZ8Cam8LDdwsNMD2XExI3pm4m:nsDn6SKiDdwsNMD2XExI3pm

Score
10/10
njratdiscoverypersistencetrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 30 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gg.zbb.exe
    "C:\Users\Admin\AppData\Local\Temp\gg.zbb.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\b210928d155b4af5a8a4dbb55d12b19b.exe
      "C:\Users\Admin\AppData\Local\Temp\b210928d155b4af5a8a4dbb55d12b19b.exe"
      2⤵
      • Executes dropped EXE
      PID:1744
    • C:\Users\Admin\AppData\Local\Temp\a641ef5de369425cacbb3d6a8532de63.exe
      "C:\Users\Admin\AppData\Local\Temp\a641ef5de369425cacbb3d6a8532de63.exe"
      2⤵
      • Executes dropped EXE
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\a7faa5fd6acc41d9a4d54b6adf6d1e8d.exe
      "C:\Users\Admin\AppData\Local\Temp\a7faa5fd6acc41d9a4d54b6adf6d1e8d.exe"
      2⤵
      • Executes dropped EXE
      PID:1252
    • C:\Users\Admin\AppData\Local\Temp\66ae426f449748e8958fbd3389af1d89.exe
      "C:\Users\Admin\AppData\Local\Temp\66ae426f449748e8958fbd3389af1d89.exe"
      2⤵
      • Executes dropped EXE
      PID:1896
    • C:\Users\Admin\AppData\Local\Temp\b0096db26bff42fb92c35a9a9c7a1911.exe
      "C:\Users\Admin\AppData\Local\Temp\b0096db26bff42fb92c35a9a9c7a1911.exe"
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Users\Admin\AppData\Local\Temp\d49bc04800874ff7af0407b9b8b39daa.exe
      "C:\Users\Admin\AppData\Local\Temp\d49bc04800874ff7af0407b9b8b39daa.exe"
      2⤵
      • Executes dropped EXE
      PID:2252
    • C:\Users\Admin\AppData\Local\Temp\d6322013785a4bc4b75281eaf90f446e.exe
      "C:\Users\Admin\AppData\Local\Temp\d6322013785a4bc4b75281eaf90f446e.exe"
      2⤵
      • Executes dropped EXE
      PID:332
    • C:\Users\Admin\AppData\Local\Temp\38fb87db3c6f4a63a98646810e7e0999.exe
      "C:\Users\Admin\AppData\Local\Temp\38fb87db3c6f4a63a98646810e7e0999.exe"
      2⤵
      • Executes dropped EXE
      PID:2688
    • C:\Users\Admin\AppData\Local\Temp\ab00fda1f9254de284ccdf662aabad3e.exe
      "C:\Users\Admin\AppData\Local\Temp\ab00fda1f9254de284ccdf662aabad3e.exe"
      2⤵
      • Executes dropped EXE
      PID:268
    • C:\Users\Admin\AppData\Local\Temp\90daaa7f2c494057b6d33db1502cc3b1.exe
      "C:\Users\Admin\AppData\Local\Temp\90daaa7f2c494057b6d33db1502cc3b1.exe"
      2⤵
      • Executes dropped EXE
      PID:2836
    • C:\Users\Admin\AppData\Local\Temp\ad9cff0cf7044353975523026448710e.exe
      "C:\Users\Admin\AppData\Local\Temp\ad9cff0cf7044353975523026448710e.exe"
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Users\Admin\AppData\Local\Temp\b7a5428d7df048a4afd31f87f4430b11.exe
      "C:\Users\Admin\AppData\Local\Temp\b7a5428d7df048a4afd31f87f4430b11.exe"
      2⤵
      • Executes dropped EXE
      PID:2196
    • C:\Users\Admin\AppData\Local\Temp\11bf185973f848bb82b2237700d3fada.exe
      "C:\Users\Admin\AppData\Local\Temp\11bf185973f848bb82b2237700d3fada.exe"
      2⤵
      • Executes dropped EXE
      PID:2056
    • C:\Users\Admin\AppData\Local\Temp\0bee105e94c64ded8ca2d81ee5fc4ed5.exe
      "C:\Users\Admin\AppData\Local\Temp\0bee105e94c64ded8ca2d81ee5fc4ed5.exe"
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\969891ae3d0243508340b0256dde6ba0.exe
      "C:\Users\Admin\AppData\Local\Temp\969891ae3d0243508340b0256dde6ba0.exe"
      2⤵
      • Executes dropped EXE
      PID:2248
    • C:\Users\Admin\AppData\Local\Temp\724fde9915dd4698b1c27e1d60c5b491.exe
      "C:\Users\Admin\AppData\Local\Temp\724fde9915dd4698b1c27e1d60c5b491.exe"
      2⤵
      • Executes dropped EXE
      PID:2664
    • C:\Users\Admin\AppData\Local\Temp\477acaaf1b2b4da3801ec6a4740b0389.exe
      "C:\Users\Admin\AppData\Local\Temp\477acaaf1b2b4da3801ec6a4740b0389.exe"
      2⤵
      • Executes dropped EXE
      PID:2920
    • C:\Users\Admin\AppData\Local\Temp\d4c286d6a98f45cabc6ca4ad93e7bb07.exe
      "C:\Users\Admin\AppData\Local\Temp\d4c286d6a98f45cabc6ca4ad93e7bb07.exe"
      2⤵
      • Executes dropped EXE
      PID:408
    • C:\Users\Admin\AppData\Local\Temp\fc93af05ea09481fb845737d754a0850.exe
      "C:\Users\Admin\AppData\Local\Temp\fc93af05ea09481fb845737d754a0850.exe"
      2⤵
      • Executes dropped EXE
      PID:1376
    • C:\Users\Admin\AppData\Local\Temp\dd5ad31048a540f48c8906569fa91063.exe
      "C:\Users\Admin\AppData\Local\Temp\dd5ad31048a540f48c8906569fa91063.exe"
      2⤵
      • Executes dropped EXE
      PID:1840
    • C:\Users\Admin\AppData\Local\Temp\4a2db365429b4de3be65d6107b8028e3.exe
      "C:\Users\Admin\AppData\Local\Temp\4a2db365429b4de3be65d6107b8028e3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:924
    • C:\Users\Admin\AppData\Local\Temp\0a5341d115d4433688ca04371b83a9b5.exe
      "C:\Users\Admin\AppData\Local\Temp\0a5341d115d4433688ca04371b83a9b5.exe"
      2⤵
      • Executes dropped EXE
      PID:768
    • C:\Users\Admin\AppData\Local\Temp\0fe87a2f360a46e6a65b155f6ead7b61.exe
      "C:\Users\Admin\AppData\Local\Temp\0fe87a2f360a46e6a65b155f6ead7b61.exe"
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Users\Admin\AppData\Local\Temp\5703794d8c724add9e5ab1240b92c93b.exe
      "C:\Users\Admin\AppData\Local\Temp\5703794d8c724add9e5ab1240b92c93b.exe"
      2⤵
      • Executes dropped EXE
      PID:2656
    • C:\Users\Admin\AppData\Local\Temp\100fc1a8c4ba47508c79b4b4c8f1f96c.exe
      "C:\Users\Admin\AppData\Local\Temp\100fc1a8c4ba47508c79b4b4c8f1f96c.exe"
      2⤵
      • Executes dropped EXE
      PID:2704
    • C:\Users\Admin\AppData\Local\Temp\09573fb6dc534d6eb7b0930f127e1c35.exe
      "C:\Users\Admin\AppData\Local\Temp\09573fb6dc534d6eb7b0930f127e1c35.exe"
      2⤵
      • Executes dropped EXE
      PID:992
    • C:\Users\Admin\AppData\Local\Temp\6403863ca7d047daa648a56559280801.exe
      "C:\Users\Admin\AppData\Local\Temp\6403863ca7d047daa648a56559280801.exe"
      2⤵
      • Executes dropped EXE
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\eab3d183e532470eb6ff4ff67c8bbcfa.exe
      "C:\Users\Admin\AppData\Local\Temp\eab3d183e532470eb6ff4ff67c8bbcfa.exe"
      2⤵
      • Executes dropped EXE
      PID:1760
    • C:\Users\Admin\AppData\Local\Temp\63c7d1cf4e4c4b27ba3804830112aeae.exe
      "C:\Users\Admin\AppData\Local\Temp\63c7d1cf4e4c4b27ba3804830112aeae.exe"
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Users\Admin\AppData\Local\Temp\de4c471a4e3e4c45833c299f541dba21.exe
      "C:\Users\Admin\AppData\Local\Temp\de4c471a4e3e4c45833c299f541dba21.exe"
      2⤵
      • Executes dropped EXE
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\0a5341d115d4433688ca04371b83a9b5.exe
    Filesize

    997KB

    MD5

    28aaac578be4ce06cb695e4f927b4302

    SHA1

    880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

    SHA256

    8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

    SHA512

    068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

    Download Submit

  • \Users\Admin\AppData\Local\Temp\4a2db365429b4de3be65d6107b8028e3.exe
    Filesize

    16KB

    MD5

    683bcb1f86f4410931abe39a63eb7057

    SHA1

    d338aac5ff479fc94d3c840e862665de1dac8c8f

    SHA256

    c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

    SHA512

    60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\a641ef5de369425cacbb3d6a8532de63.exe
    Filesize

    345KB

    MD5

    8efb7339fe13cf8cea9f6445776655c0

    SHA1

    081afd73c757c83825cf1e8ed4a4eab259d23b97

    SHA256

    c1badbacd2abe44fe4e8685c8eee7e983bf8b6780cfca03ae31f8fcebc98b1fb

    SHA512

    2a37e74aeff17b4f435d02a30019a017a4ff4fa29fc898229f6195876f53b38154c063cf052deebcc06785650f875d67eeb0de372a76df3c4e71bd4fc0392956

    Download Submit

  • \Users\Admin\AppData\Local\Temp\b210928d155b4af5a8a4dbb55d12b19b.exe
    Filesize

    961KB

    MD5

    4723c3c04794c09bbcb6e03f48440f15

    SHA1

    a5ef69c9dc9eacc2099d9c239146a0e360f1837f

    SHA256

    0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

    SHA512

    5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

    Download Submit

  • memory/1744-14-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1744-15-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1744-16-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1744-17-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1744-42-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2316-6-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2316-7-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2316-5-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2316-0-0x0000000074A51000-0x0000000074A52000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2316-4-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2316-2-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2316-1-0x0000000074A50000-0x0000000074FFB000-memory.dmp

    Filesize

    5.7MB

    Download