Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-12-2024 18:57
General
-
Target
93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe
-
Size
65KB
-
MD5
ed689865c39b6ef12d27909bad36afe0
-
SHA1
f6e672c9a38ff700a8eda0ec996db345a1b2cb69
-
SHA256
93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791
-
SHA512
c1438eef5909e753f332129ca5ca66f12f91e14e82ae41482b987e6cfc3355861815fb59571afb629293b1c7327c44ca8034716bd74c4db0251f933dc6c287d8
-
SSDEEP
1536:zWnyCIUoN36tXQviFw1IssUBnvAQIfLteF3nLrB9z3nQaF9bES9vM:zWnyCIUoN36tXQviFCbRBnNIfWl9zAa0
Malware Config
Extracted
njrat
Platinum
HacKed
127.0.0.1:13943
discord.exe
-
reg_key
discord.exe
-
splitter
|Ghost|
Signatures
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe"C:\Users\Admin\AppData\Local\Temp\93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\discord.exe"C:\Users\Admin\AppData\Local\Temp\discord.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791N.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 53⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ed689865c39b6ef12d27909bad36afe0
SHA1f6e672c9a38ff700a8eda0ec996db345a1b2cb69
SHA25693f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791
SHA512c1438eef5909e753f332129ca5ca66f12f91e14e82ae41482b987e6cfc3355861815fb59571afb629293b1c7327c44ca8034716bd74c4db0251f933dc6c287d8
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB