Overview

overview

10

Static

static

3

0e29fe7841...4N.exe

windows7-x64

10

0e29fe7841...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e29fe7841d99a746c601d9a9ff393b555177ad17c2d2d99319067c52c891f54N.exe

  • Size

    95KB

  • MD5

    ebeaca1811d01b7d143bd1b35d67d0f0

  • SHA1

    9c51bce73607d48ed8c783a8d666ea06b8ff1a32

  • SHA256

    0e29fe7841d99a746c601d9a9ff393b555177ad17c2d2d99319067c52c891f54

  • SHA512

    1d754f69d1738f766c7f46918675ea3a364a48be43f80c80cb1072b7d22c7618349e210d6cdce8b667687c59a6cd1a14ba8056258e9709f6cc25e3de1f81839e

  • SSDEEP

    1536:spBYfgR+0vLUJ9qVcysDE3PS8jApI9Yo1D03BD6nFNSXBUx2imHq2ilP/m6LFEfB:sEoRTLUJQKNpV0DuONbtmHolP/m6LFEZ

Score
10/10
njratdiscoveryevasionexecutiontrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e29fe7841d99a746c601d9a9ff393b555177ad17c2d2d99319067c52c891f54N.exe
    "C:\Users\Admin\AppData\Local\Temp\0e29fe7841d99a746c601d9a9ff393b555177ad17c2d2d99319067c52c891f54N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc query windefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\SysWOW64\sc.exe
          sc query windefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3924
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop windefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Windows\SysWOW64\sc.exe
          sc stop windefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete windefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\SysWOW64\sc.exe
          sc delete windefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xb4oarbd.xje.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    95KB

    MD5

    ebeaca1811d01b7d143bd1b35d67d0f0

    SHA1

    9c51bce73607d48ed8c783a8d666ea06b8ff1a32

    SHA256

    0e29fe7841d99a746c601d9a9ff393b555177ad17c2d2d99319067c52c891f54

    SHA512

    1d754f69d1738f766c7f46918675ea3a364a48be43f80c80cb1072b7d22c7618349e210d6cdce8b667687c59a6cd1a14ba8056258e9709f6cc25e3de1f81839e

    Download Submit

  • memory/2564-59-0x00000000072A0000-0x00000000072BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2564-69-0x0000000007930000-0x0000000007938000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2564-72-0x0000000072EC0000-0x0000000073670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2564-34-0x00000000055C0000-0x0000000005626000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2564-68-0x0000000007950000-0x000000000796A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2564-67-0x0000000007850000-0x0000000007864000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2564-66-0x0000000007840000-0x000000000784E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2564-65-0x0000000007810000-0x0000000007821000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2564-25-0x0000000072ECE000-0x0000000072ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2564-26-0x00000000029E0000-0x0000000002A16000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2564-27-0x0000000072EC0000-0x0000000073670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2564-64-0x0000000007890000-0x0000000007926000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2564-63-0x0000000007680000-0x000000000768A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2564-28-0x00000000056B0000-0x0000000005CD8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2564-31-0x0000000072EC0000-0x0000000073670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2564-62-0x0000000007610000-0x000000000762A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2564-33-0x0000000005520000-0x0000000005542000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2564-35-0x0000000005630000-0x0000000005696000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2564-61-0x0000000007C50000-0x00000000082CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2564-60-0x00000000074E0000-0x0000000007583000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2564-46-0x00000000062E0000-0x00000000062FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2564-45-0x0000000005DE0000-0x0000000006134000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2564-47-0x0000000006320000-0x000000000636C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2564-48-0x00000000068B0000-0x00000000068E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2564-49-0x000000006F3A0000-0x000000006F3EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4496-18-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4496-32-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4496-30-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4496-29-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4496-20-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4496-17-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4676-0-0x0000000075182000-0x0000000075183000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-2-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4676-24-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4676-21-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4676-19-0x0000000075182000-0x0000000075183000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-1-0x0000000075180000-0x0000000075731000-memory.dmp

    Filesize

    5.7MB

    Download