Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 11:01

General

  • Target

    fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe

  • Size

    1.2MB

  • MD5

    1d0533150b9b44246d4431607b3871ab

  • SHA1

    73e34d8ab2f51edd471b06c3e2ad17c29701536a

  • SHA256

    fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03

  • SHA512

    a658d2f0768a94c632bb7bb1202584d27ff1bd5db94f8c3cf25f059803c01b3ed49c0ca4db326016a149723034a9bd56531072db2f0203c054d7e28d0ca277da

  • SSDEEP

    24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaW7aWvCaFg5a7PCmWX95u:Jh+ZkldoPK8YaW7CaZ7IHu

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

redlanhopto

C2

redlan.hopto.org:5553

Mutex

d25d360449d7bab3069e1b77b3a914a3

Attributes
  • reg_key

    d25d360449d7bab3069e1b77b3a914a3

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe
    "C:\Users\Admin\AppData\Local\Temp\fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2568
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn igfxHK /tr "C:\Users\Admin\AppData\Roaming\chkdsk\data.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1152
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {67C3ECA4-8482-4521-B447-6511616211AA} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Roaming\chkdsk\data.exe
      C:\Users\Admin\AppData\Roaming\chkdsk\data.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2780
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn igfxHK /tr "C:\Users\Admin\AppData\Roaming\chkdsk\data.exe" /sc minute /mo 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1028
    • C:\Users\Admin\AppData\Roaming\chkdsk\data.exe
      C:\Users\Admin\AppData\Roaming\chkdsk\data.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2084

Network

  • flag-us
    DNS
    redlan.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    redlan.hopto.org
    IN A
    Response
    redlan.hopto.org
    IN A
    184.105.237.195
  • 184.105.237.195:5553
    redlan.hopto.org
    RegAsm.exe
    637 B
    248 B
    7
    6
  • 184.105.237.195:5553
    redlan.hopto.org
    RegAsm.exe
    562 B
    208 B
    6
    5
  • 184.105.237.195:5553
    redlan.hopto.org
    RegAsm.exe
    637 B
    248 B
    7
    6
  • 184.105.237.195:5553
    redlan.hopto.org
    RegAsm.exe
    637 B
    248 B
    7
    6
  • 184.105.237.195:5553
    redlan.hopto.org
    RegAsm.exe
    545 B
    168 B
    5
    4
  • 8.8.8.8:53
    redlan.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    redlan.hopto.org

    DNS Response

    184.105.237.195

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\chkdsk\data.exe

    Filesize

    1.2MB

    MD5

    83f3f462b393cd26b35fe5a2155fd56e

    SHA1

    c72058398f76f1cd4acccc49623df5111b4c8118

    SHA256

    07872c5471feb3012d922777283cfb6e6065e20ba30dea2b192ca118d9d2d275

    SHA512

    8157bde3faeb9c85ac43f6b1e2b09b456fe3745b07bbc61fe14e714c6f5a87d93ec897732a65d2f2b5d272736db7b0e77202b2b39934ab8705eaa120fa53a7d7

  • memory/2288-0-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

  • memory/2608-1-0x0000000000090000-0x000000000009C000-memory.dmp

    Filesize

    48KB

  • memory/2608-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2608-9-0x0000000000090000-0x000000000009C000-memory.dmp

    Filesize

    48KB

  • memory/2608-3-0x0000000000090000-0x000000000009C000-memory.dmp

    Filesize

    48KB

  • memory/2608-10-0x0000000000090000-0x000000000009C000-memory.dmp

    Filesize

    48KB

  • memory/2608-11-0x0000000073B82000-0x0000000073B84000-memory.dmp

    Filesize

    8KB

  • memory/2608-12-0x0000000073B82000-0x0000000073B84000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.