Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 11:25

General

  • Target

    621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe

  • Size

    506KB

  • MD5

    cea8687c16ca4de232b21a53308714d3

  • SHA1

    88d8fbf3e679fa2c081e79d9b561d31b8a359538

  • SHA256

    621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3

  • SHA512

    e09aedf77f7eedd2e49825bda4ac6e966c301135419d857df2e2c86d78c82c48d09609ed6b6937a5f4582276395bd22f8d51fd1ab3e84e287edac207e8942b3f

  • SSDEEP

    12288:/LMEalqxXblqoRX5qbfphLxaOSoSDi7mbsG46w:zqaXNabfphLxaVpDiiQ9

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

ie-serving.gl.at.ply.gg:18976

Mutex

d386661cfe8f30c3a692533641b57806

Attributes
  • reg_key

    d386661cfe8f30c3a692533641b57806

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer1

C2

ie-serving.gl.at.ply.gg:18976

Mutex

82f896a33c031e162176bdb24630461b

Attributes
  • reg_key

    82f896a33c031e162176bdb24630461b

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
    "C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe"
    1⤵
    • Subvert Trust Controls: Mark-of-the-Web Bypass
    • NTFS ADS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\crackreado.exe
      "C:\Users\Admin\AppData\Local\Temp\crackreado.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2644
    • C:\Users\Admin\AppData\Local\Temp\vn.exe
      "C:\Users\Admin\AppData\Local\Temp\vn.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Users\Admin\AppData\Roaming\explore.exe
          "C:\Users\Admin\AppData\Roaming\explore.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explore.exe" "explore.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1400
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\crackreado.exe

    Filesize

    266KB

    MD5

    08f60cc9834ea6aa7a0debb5a9f31596

    SHA1

    c5648fad6c56ee9709ef43ccbedb7c8eb5e1c765

    SHA256

    012b2fcc90e10eea3a4cae76faaedeb0a0577aa62925ad098c9dd8b6e610e97f

    SHA512

    649d7d0ecbe3cd8d3dbf649ff2389e9c88e094401a64b60429c6142c20f959c183a503245007d3bb5af80d223508298ee5750057c1279f4874942996bb5d4d4e

  • C:\Users\Admin\AppData\Local\Temp\vn.EXE

    Filesize

    49KB

    MD5

    ad82a9592cf1049cc41e09a5ded58087

    SHA1

    6c609e53570e6c681889e6ef8a125f3ea06dbd68

    SHA256

    ca36c45944b74585a60c05e618ab6bf891935f78f0137ccb27d23f2be13ca13f

    SHA512

    d96a40310057a7f4cd649fcc38d4d5b377b7a21ae3fd8d2941eb027eb8c107440f9d3bbd5cc67a701f40d4674f3df549dc96b2b0d0d68f592d1ece98bb4021bb

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe

    Filesize

    23KB

    MD5

    26faf73fe025e21d49eb7d6d93146937

    SHA1

    0656911baa4e191c64e62bc8636f9dd9b4f3ac92

    SHA256

    ed3104c51ae7ce3a6ae62641c6bfbc5094a73eac53e6ca6706434e0815053195

    SHA512

    e7d0fa3cfe3bcd8ad36c01b132a463a1570f49fa3aa019d66e41359c49b2c88ef7af6a48a4de9bbe1f95c3b5840606514afca4011d836446c82ec5a0c1e83a54

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe

    Filesize

    23KB

    MD5

    6e21d078457153d26ad7bba875c27266

    SHA1

    021b8de05fd173c442445fdb7a2c35e6c55c22e4

    SHA256

    a80d4c357c01acdf27602109d41827da153c712d5ddc8dce1f19723257fd7e2f

    SHA512

    bf390204b31f532f94965c283210280fbbb47b5d5150825a8648362fb5443dc2d0df98b6bf9d8b0da8d8a273688b7252ed6043081ad545c1109f2cb4c65e6ef4

  • memory/2644-47-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2644-32-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

    Filesize

    4KB

  • memory/2644-66-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

    Filesize

    4KB

  • memory/2644-42-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2644-57-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2828-34-0x0000000001000000-0x0000000001028548-memory.dmp

    Filesize

    161KB

  • memory/2828-50-0x0000000000230000-0x0000000000259000-memory.dmp

    Filesize

    164KB

  • memory/2828-48-0x0000000001023000-0x0000000001024000-memory.dmp

    Filesize

    4KB

  • memory/2828-49-0x0000000001000000-0x0000000001028548-memory.dmp

    Filesize

    161KB

  • memory/2828-31-0x0000000001000000-0x0000000001028548-memory.dmp

    Filesize

    161KB

  • memory/2828-67-0x0000000001000000-0x0000000001028548-memory.dmp

    Filesize

    161KB

  • memory/2828-68-0x0000000000230000-0x000000000023D000-memory.dmp

    Filesize

    52KB