Overview

overview

10

Static

static

3

service.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    5s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    18-01-2025 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    service.exe

  • Size

    48KB

  • MD5

    98747f5b8125fdbd59f050e30618867f

  • SHA1

    19adbbc70a56d1cefc2f8c60a139e0540affe661

  • SHA256

    0101605928448cc2af7c21ce1f0e701989816fd83c7dc233ca43516427ed8ab7

  • SHA512

    f1356242dd9f56d3606ca3707d1cfddc7bba90cdcd902cc2400255ab63c4608986d249520a7f4c330b11c4b428dbb2468406b7e2b455611c03e8c8dfac6e9aca

  • SSDEEP

    768:tzudimXcTHesAM68IwLXxIICnUErFjeiR5C2w5zP0AMj0OLDKTM/vO0AURXSO:d8LzmBpkrdaJ0Ak5fKY/rfSO

Score
10/10
njratprothv2discoverytrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

PROTHV2

C2

103.253.73.222:711

Mutex

bc537b56da07a3b4870ad823ad802a4a

Attributes
  • reg_key

    bc537b56da07a3b4870ad823ad802a4a

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\service.exe
    "C:\Users\Admin\AppData\Local\Temp\service.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\service.exe
      "C:\Users\Admin\AppData\Local\Temp\service.exe"
      2⤵
        PID:2152
      • C:\Users\Admin\AppData\Local\Temp\service.exe
        "C:\Users\Admin\AppData\Local\Temp\service.exe"
        2⤵
          PID:1856
        • C:\Users\Admin\AppData\Local\Temp\service.exe
          "C:\Users\Admin\AppData\Local\Temp\service.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\service.exe.log
        Filesize

        1KB

        MD5

        bd76295661516015cc654d284dc2c276

        SHA1

        66f835bf0b154292d8ad17212a0feabc5f4f1a18

        SHA256

        aeef561f6ece2de3d114091d2304534b65152dfee9e195c80876477344422f12

        SHA512

        0aa544e8684fe8b668623d5668a82abc590938c60fbbfd4959a8e8b1cb16d96858824d170a174b2084569b2756a97ce1b825d588a8a5b3cd4ed040182bcad5fc

        Download Submit

      • memory/1704-11-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1704-15-0x0000000074F70000-0x0000000075721000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1704-14-0x0000000005390000-0x000000000542C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1912-5-0x0000000005440000-0x000000000544A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1912-4-0x0000000074F70000-0x0000000075721000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1912-6-0x0000000005520000-0x0000000005596000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1912-7-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1912-8-0x0000000074F70000-0x0000000075721000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1912-9-0x0000000005430000-0x0000000005440000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-10-0x00000000056F0000-0x000000000570E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1912-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1912-3-0x0000000005380000-0x0000000005412000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1912-2-0x0000000005850000-0x0000000005DF6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1912-16-0x0000000074F70000-0x0000000075721000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1912-1-0x0000000000990000-0x00000000009A2000-memory.dmp

        Filesize

        72KB

        Download