Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 01:55

General

  • Target

    ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe

  • Size

    37KB

  • MD5

    c656f530c130c90a375047f3f501ab03

  • SHA1

    4d3fb02a42eaab3b9e36a144148a1a9ee3ae5efa

  • SHA256

    ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1

  • SHA512

    831000fd3f1ff365507243ceacae40b48d8d0d0dbb46b955a17f2eed8e29c8d30283e3904f3bff11593aa382dc3bfe2cdba5ab4265030ee212f7064ca1223ad6

  • SSDEEP

    384:5sh7qi0hJZtbH9KyM+2ZzmuHtgs2yHFrAF+rMRTyN/0L+EcoinblneHQM3epzXtV:yWJ95M+2Z6uKdylrM+rMRa8Nurft

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

tcp://kiwitech1337-20411.portmap.host:20411

Mutex

3e667850c59c9299d789f6e186e7293a

Attributes
  • reg_key

    3e667850c59c9299d789f6e186e7293a

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe
    "C:\Users\Admin\AppData\Local\Temp\ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sasiski
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sasiski"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sasiski

    Filesize

    37KB

    MD5

    c656f530c130c90a375047f3f501ab03

    SHA1

    4d3fb02a42eaab3b9e36a144148a1a9ee3ae5efa

    SHA256

    ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1

    SHA512

    831000fd3f1ff365507243ceacae40b48d8d0d0dbb46b955a17f2eed8e29c8d30283e3904f3bff11593aa382dc3bfe2cdba5ab4265030ee212f7064ca1223ad6

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    c2f8290aa9c04c7a7c4473cb11eefa5f

    SHA1

    95cdc464f57e63fb064468d5a5ea339cd0083edb

    SHA256

    a12723b3fba5b3bebc5a320f2ad3874e61c2bfc4f0028d839edf64c6e3c7ceb4

    SHA512

    af438c07db7abbf116587623754bc615e206a5298922a6c30586dd457f4ec00580e0f43514f2dfd0d23ed9140094291576113100a2dc1697fd3e16f910a36b01

  • memory/2184-0-0x0000000074641000-0x0000000074642000-memory.dmp

    Filesize

    4KB

  • memory/2184-1-0x0000000074640000-0x0000000074BEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2184-2-0x0000000074640000-0x0000000074BEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2184-5-0x0000000074640000-0x0000000074BEB000-memory.dmp

    Filesize

    5.7MB