Overview

overview

10

Static

static

10

mos ssssttttt.exe

windows7-x64

10

mos ssssttttt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mos ssssttttt.exe

  • Size

    93KB

  • MD5

    8be7cd574b5424c43a6d0ccc4a989412

  • SHA1

    946d22547849765d756071f63be3417b30f39c6f

  • SHA256

    87a40d2e8ebe033ff3d359309dda136f1bced5c5578c8ea7d05b9d97e5adb12f

  • SHA512

    8aff9965a7c8ccb357b3e026c2b65eb0457d4967ddbbb269f781ce62c9c77667b3a7ed4e8794bdaff6a7adfd46757cf1579bf740ec5a0d2747efa824bcf18eeb

  • SSDEEP

    1536:lIEQIBlfGQFk2ZonmzlMxjEwzGi1dD1DYgS:lICtFk2ZonmZMOi1dxB

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:444
Mutex

990be91699f271511aed6c9147533362

Attributes
  • reg_key

    990be91699f271511aed6c9147533362

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mos ssssttttt.exe
    "C:\Users\Admin\AppData\Local\Temp\mos ssssttttt.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mos ssssttttt.exe" "mos ssssttttt.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2108
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\mos ssssttttt.exe"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2684
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mos ssssttttt.exe" "mos ssssttttt.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2452
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2360
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8EF065FB-029F-4269-A3CE-AD8D1E3E016E} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
      C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2884
    • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
      C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
      C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    Filesize

    93KB

    MD5

    8be7cd574b5424c43a6d0ccc4a989412

    SHA1

    946d22547849765d756071f63be3417b30f39c6f

    SHA256

    87a40d2e8ebe033ff3d359309dda136f1bced5c5578c8ea7d05b9d97e5adb12f

    SHA512

    8aff9965a7c8ccb357b3e026c2b65eb0457d4967ddbbb269f781ce62c9c77667b3a7ed4e8794bdaff6a7adfd46757cf1579bf740ec5a0d2747efa824bcf18eeb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    bbcd2be775370c1e106e66d077a93f3b

    SHA1

    a44b6a98f30e3275fc304bc3b29e0eab8ae47f20

    SHA256

    a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1

    SHA512

    bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72

    Download Submit

  • memory/1380-0-0x0000000074B71000-0x0000000074B72000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1380-1-0x0000000074B70000-0x000000007511B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1380-2-0x0000000074B70000-0x000000007511B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1380-5-0x0000000074B70000-0x000000007511B000-memory.dmp

    Filesize

    5.7MB

    Download