Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 10:41

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    d43643e01d59c289b551c240242ea5cd

  • SHA1

    aa17e80aac2ca4e14297b0a7cf29c85b116882c6

  • SHA256

    e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460

  • SHA512

    4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd

  • SSDEEP

    768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

japanese-cross.gl.at.ply.gg:16828

Mutex

ac168fa7329a1bbe164c59a113cb4d71

Attributes
  • reg_key

    ac168fa7329a1bbe164c59a113cb4d71

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2168
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1544
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:344
      • C:\Windows\winhlp32.exe
        "C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2372
      • C:\Windows\winhlp32.exe
        "C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
      • C:\Windows\winhlp32.exe
        "C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2080
      • C:\Windows\winhlp32.exe
        "C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2180
      • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:2732
        • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2632
        • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2600
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1400
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1972
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1612
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2532
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:808
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2120
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1740
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2160
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2364
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2804
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2252
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2428
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:760
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1196
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1888
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1332
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2624
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2640
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1088
    • C:\Windows\helppane.exe
      C:\Windows\helppane.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\A48D25D.tmp

      Filesize

      113B

      MD5

      67eeaff7e51df1ae135bcb3c656e2aeb

      SHA1

      71ee5f857e5a1c11206718d910f57556e79bec47

      SHA256

      fa2c12bec4a6d8b945e3d85961e1a7a26858623c6d2318ae843f4b867bbbf499

      SHA512

      1570bd5338476984ffec39211d64bf8c3bb89435b68c15cf0d06335f4eab4f0bb702ea234535c7d3e0e4ee4bce0b34d01d448816bba1b1f9e53d808336d24faa

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_C03C740CA12142E48E933E56E5FB68C8.dat

      Filesize

      940B

      MD5

      5c9c29cc2b1de9ea350d469190a4a4db

      SHA1

      85f4ceacbe2675d447e98eb1b998b01e921117e9

      SHA256

      633f3a8b47f13e502a4f90234bd0e5d4c271cbb9524f212648c8ab45d95279a0

      SHA512

      c38c5f99dc884a4458ccd229f90970a740fcfe87f6f335c2dc400e37e82a31c7d6509cb3446deadc736e4079a17ddb9e6c69b7ca35cad3a386023acbfc05d844

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs

      Filesize

      19B

      MD5

      53b9f8d6b89885849f2082ed155df5b0

      SHA1

      9698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e

      SHA256

      c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488

      SHA512

      dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f

    • C:\Users\Admin\AppData\Roaming\app

      Filesize

      5B

      MD5

      a65a8cc18c0fdcac3b78ed8f032e2f98

      SHA1

      9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

      SHA256

      ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

      SHA512

      8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

    • \Users\Admin\AppData\Roaming\server.exe

      Filesize

      93KB

      MD5

      d43643e01d59c289b551c240242ea5cd

      SHA1

      aa17e80aac2ca4e14297b0a7cf29c85b116882c6

      SHA256

      e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460

      SHA512

      4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd

    • memory/2124-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2124-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2124-14-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2124-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

      Filesize

      4KB

    • memory/2136-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2508-17-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2508-23-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2508-16-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB

    • memory/2508-15-0x00000000748E0000-0x0000000074E8B000-memory.dmp

      Filesize

      5.7MB