Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 22:50

General

  • Target

    5731157a1e86abe974e4cad956a53dee2795d87aa7ee23215f7d4b28dc6b9e6f.exe

  • Size

    488KB

  • MD5

    0e33819a10f6d174189c8d71ffb671f1

  • SHA1

    d617a34a88c424ed60f93ce60f091dd235354ad0

  • SHA256

    5731157a1e86abe974e4cad956a53dee2795d87aa7ee23215f7d4b28dc6b9e6f

  • SHA512

    ec1e7376df583d9f65feb6bbe95c15fc04b0f8242111b1496029a5932ccf802fea31b9c7171415829f258980591d9d141c304597849c87f6acb0c92baf7634aa

  • SSDEEP

    6144:08JsLcpjzTDDmHayakLkrb4NSarQWYmdUfKyt9XDeXYobgP:RzxzTDWikLSb4NS79mdUfH9zeXYobi

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:15986

Mutex

198d41d5fe2cbc3d7b66a9e7a223f914

Attributes
  • reg_key

    198d41d5fe2cbc3d7b66a9e7a223f914

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5731157a1e86abe974e4cad956a53dee2795d87aa7ee23215f7d4b28dc6b9e6f.exe
    "C:\Users\Admin\AppData\Local\Temp\5731157a1e86abe974e4cad956a53dee2795d87aa7ee23215f7d4b28dc6b9e6f.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DONT_OPEN_ME_PLEASE.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DONT_OPEN_ME_PLEASE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:708
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ошибка Женехе.png

    Filesize

    7KB

    MD5

    556c1e900659a022b8efe8268607d7a1

    SHA1

    2a85ae7e229ba740b3b1f2bc7483aa636d6e2714

    SHA256

    378bbce904f941fc30d6aa08969489c91968b0a507734d303d7c5ec65c297659

    SHA512

    06b3036123e52c40a09d3b8943a116e5987ec17f6957762509d7e4d694641ec12e0ae32b2d5a5f8667c77563cd7bbe5defd27aebb05c7a107aac067e6433b460

  • \Users\Admin\AppData\Local\Temp\RarSFX0\DONT_OPEN_ME_PLEASE.exe

    Filesize

    37KB

    MD5

    b9891a402fda1132df04dcbeb978c13a

    SHA1

    1408b5fb5d5ce0903c23cb174f3c10066d221079

    SHA256

    21d8a908a4557c58af6fd8487fbe360c6b6ee15de7dee9d31912b18d0936761c

    SHA512

    542fcfe3dadcf8a00ed8a81354d90fb6ddf9e88c3e5cd92395c93ceaadfe9d235b28ffeaf64a228afc902be1476736e05b61ed545432b5508b08c0f11211e540

  • memory/2876-4-0x0000000002660000-0x0000000002662000-memory.dmp

    Filesize

    8KB

  • memory/2944-5-0x0000000000200000-0x0000000000202000-memory.dmp

    Filesize

    8KB

  • memory/2944-6-0x0000000000960000-0x0000000000961000-memory.dmp

    Filesize

    4KB

  • memory/2944-27-0x0000000000960000-0x0000000000961000-memory.dmp

    Filesize

    4KB