Overview

overview

10

Static

static

10

a75cc6e666...dc.exe

windows7-x64

10

a75cc6e666...dc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a75cc6e666c7810a7c60d0b87f61ea983886227f4ca4de43d2ed8c87d38590dc.exe

  • Size

    35KB

  • MD5

    917235e2cc9fb5a974451973b4be23ce

  • SHA1

    3f2df07996d988d0bb443bafd75487da428f5389

  • SHA256

    a75cc6e666c7810a7c60d0b87f61ea983886227f4ca4de43d2ed8c87d38590dc

  • SHA512

    d8f31ed4edd33472a3b0e3967b401688529b2d2e039f66652877a75990b4934808a4ff3d92e2b3c5d9dfabfbba8d17f58f7d3365abd6f9aeb2181c63760144ae

  • SSDEEP

    384:pLQ5CVFzG+7OA0VsMEvFO4xQi+yP+hhfMRAQk93vmhm7UMKmIEecKdbXTzm9bVh2:ZIfILxhRA/vMHTi9bDRJk6/i

Score
10/10
njrathackeddiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

ratr.zapto.org:5552

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a75cc6e666c7810a7c60d0b87f61ea983886227f4ca4de43d2ed8c87d38590dc.exe
    "C:\Users\Admin\AppData\Local\Temp\a75cc6e666c7810a7c60d0b87f61ea983886227f4ca4de43d2ed8c87d38590dc.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2604
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2828
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    aab0594dc0ccf72394edb0350a86b3f1

    SHA1

    213f977d9d4b23d8ad554e86c2993d373bab6302

    SHA256

    cbd65a8650c6b50d91ccdede66a06aaf39709cbe2a8e18d0c96c7d5cbd8506ca

    SHA512

    dc4fd43d6641c93aed49613704bffab906cbc10f2aa7a3945ce02e6eff299c165cd459e8b047e836ae38871517bfdfe9b2e1fa59b45f9e28d429866b739da16e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1018B

    MD5

    e1d45e45044687dab3a6d0632db13944

    SHA1

    899a5d21fc82511f1958f529f7a8cb07fca318a9

    SHA256

    cf1c0a075333927031717773ab95451514e865ea03dfbbadfb4ec20316af0149

    SHA512

    7643e22b5b86ef3847ca78aa6c6bd6f00823e5277832750cf4bf00975088a7dfb4143ab97c50ebbac4698b062e452aaf01efc070fc3801cb82659800bed66690

    Download Submit

  • \Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    35KB

    MD5

    917235e2cc9fb5a974451973b4be23ce

    SHA1

    3f2df07996d988d0bb443bafd75487da428f5389

    SHA256

    a75cc6e666c7810a7c60d0b87f61ea983886227f4ca4de43d2ed8c87d38590dc

    SHA512

    d8f31ed4edd33472a3b0e3967b401688529b2d2e039f66652877a75990b4934808a4ff3d92e2b3c5d9dfabfbba8d17f58f7d3365abd6f9aeb2181c63760144ae

    Download Submit

  • memory/2056-13-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2056-15-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2056-20-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2056-21-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-0-0x0000000074541000-0x0000000074542000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-1-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-2-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-5-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-14-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

    Download