Analysis

  • max time kernel
    120s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 23:48

General

  • Target

    9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe

  • Size

    77KB

  • MD5

    e993cfb6e61851f8e4b8a0de1109e7e0

  • SHA1

    7ed75b6f3d933016bb4064900780fdf702889e09

  • SHA256

    9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6

  • SHA512

    ff3b842bc78179bf267852b7f1a73159db146e319f064b556d92c71a968c5061675377ad7e1663cdf2ca98b9f5d10a0ed64037f5223bd217f053e8bda1c6f1ad

  • SSDEEP

    1536:c+egCWviDlboRh2Zz6XGuM3M9vxG33eSORdRujx7zG3zJB52HB:cICWqboSx6e3MFC3elRdROVzG352HB

Malware Config

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2908

Network

  • flag-us
    DNS
    oxy01.duckdns.org
    dllhost.exe
    Remote address:
    8.8.8.8:53
    Request
    oxy01.duckdns.org
    IN A
    Response
    oxy01.duckdns.org
    IN A
    62.139.223.142
  • flag-us
    DNS
    oxy01.duckdns.org
    dllhost.exe
    Remote address:
    8.8.8.8:53
    Request
    oxy01.duckdns.org
    IN A
    Response
    oxy01.duckdns.org
    IN A
    62.139.223.142
  • 62.139.223.142:6522
    oxy01.duckdns.org
    dllhost.exe
    152 B
    3
  • 62.139.223.142:6522
    oxy01.duckdns.org
    dllhost.exe
    152 B
    3
  • 62.139.223.142:6522
    oxy01.duckdns.org
    dllhost.exe
    152 B
    3
  • 62.139.223.142:6522
    oxy01.duckdns.org
    dllhost.exe
    152 B
    3
  • 62.139.223.142:6522
    oxy01.duckdns.org
    dllhost.exe
    152 B
    3
  • 8.8.8.8:53
    oxy01.duckdns.org
    dns
    dllhost.exe
    63 B
    79 B
    1
    1

    DNS Request

    oxy01.duckdns.org

    DNS Response

    62.139.223.142

  • 8.8.8.8:53
    oxy01.duckdns.org
    dns
    dllhost.exe
    63 B
    79 B
    1
    1

    DNS Request

    oxy01.duckdns.org

    DNS Response

    62.139.223.142

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\dllhost.exe

    Filesize

    77KB

    MD5

    e993cfb6e61851f8e4b8a0de1109e7e0

    SHA1

    7ed75b6f3d933016bb4064900780fdf702889e09

    SHA256

    9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6

    SHA512

    ff3b842bc78179bf267852b7f1a73159db146e319f064b556d92c71a968c5061675377ad7e1663cdf2ca98b9f5d10a0ed64037f5223bd217f053e8bda1c6f1ad

  • memory/2096-0-0x00000000746C1000-0x00000000746C2000-memory.dmp

    Filesize

    4KB

  • memory/2096-1-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2096-2-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2096-18-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-13-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-20-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-21-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2280-22-0x00000000746C0000-0x0000000074C6B000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.