Overview

overview

10

Static

static

3

172f10ae33...4N.exe

windows7-x64

7

172f10ae33...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    172f10ae33196a11f01badca777c0479e888e27ab7852e4ec229ef4b3cf16a94N.exe

  • Size

    72KB

  • MD5

    830c26f8622816db28843dbc86435e80

  • SHA1

    4400c8a99cde6340a285936837dea78afdc74ccf

  • SHA256

    172f10ae33196a11f01badca777c0479e888e27ab7852e4ec229ef4b3cf16a94

  • SHA512

    5ab43dfb0a2bf1b6bf6923766887555adcd16fe57767e940ccf933220ce5508a3cf99086dd3a3fb4e49e93317ca9ce96b406cb9190c40602fe251dc71f6f5e2b

  • SSDEEP

    768:2whjxxKg9TJy+fWsvzyVSAvckRl/95GaYlOEQ3A18/4yUdgdc4smWteEtN1V6ZPu:9xK8/yX0Al9wLlO057+OFkPdrSkJJZw

Score
10/10
njrattrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\172f10ae33196a11f01badca777c0479e888e27ab7852e4ec229ef4b3cf16a94N.exe
    "C:\Users\Admin\AppData\Local\Temp\172f10ae33196a11f01badca777c0479e888e27ab7852e4ec229ef4b3cf16a94N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\Tsfer.exe
      "C:\Users\Admin\Tsfer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Tsfer.exe
    Filesize

    37KB

    MD5

    66ce75999da52c638633e795556eccc8

    SHA1

    b37074abb57eb7942913b2915da52049848135b2

    SHA256

    ef40c1742839f7cefc5f833e902ac2a77c69fcb28518c6c9951b39b4415ef051

    SHA512

    b1ce99e9ce235c9c16959362b4d90242aa1009f9842f225da7d458ee9e5929bd3a6edf37c1d3b5dbdc7445836e901e7617317324a311628301e3943b5e1429e2

    Download Submit

  • memory/328-32-0x00000000008A0000-0x00000000008B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/328-33-0x00007FF824830000-0x00007FF8252F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/328-34-0x00007FF824830000-0x00007FF8252F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/328-35-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/328-36-0x00007FF824830000-0x00007FF8252F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/328-37-0x00007FF824830000-0x00007FF8252F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2796-0-0x00007FF824833000-0x00007FF824835000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2796-1-0x0000000000C70000-0x0000000000C88000-memory.dmp

    Filesize

    96KB

    Download