Overview

overview

10

Static

static

10

Nursultan.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    16s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28-01-2025 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan.exe

  • Size

    17.5MB

  • MD5

    186878f03c828104ae806baba96aeb97

  • SHA1

    1913e0299b2fc42f275b13cac435b78e3b6f37df

  • SHA256

    55268aba21741e673432fd0008b19725a32191a14212cff94440a2df4e0f92fe

  • SHA512

    b9e4c4109ea9386d394d72e6dfcf3d4a020ba2591844dfe114482e50d72613e6c7b32ec2c40606bc63c9185d8728c115587897ddb3379bc09cdf4b5ec8737ad8

  • SSDEEP

    393216:aquA/JFQOEKdqGdVgT7uOPXtWV0HVvvoP7cI/NG1CMkCCk3BrS:apMKOEKd9dK7uOPXtW8otAwMkCCuB2

Score
10/10
njratagilenetdiscoverytrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    PID:4124
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Bunifu.Licensing.dll
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Bunifu.Licensing.dll
    Filesize

    1.3MB

    MD5

    2b2740e0c34a46de31cf9da8a75d77cf

    SHA1

    242324f1112e6387cda41686291b6e9a415eeb8c

    SHA256

    a9be91cae167702885a5ca74273db779e3e391e2e604cc03779ed403c53ebe43

    SHA512

    605eb300b159e6ed2ee872b6ee378eed7dde6541000221fcd94d52057be91cb3c7dd65c7203f05e0718303b157b6fb941498b5e653501f97f0417d459da6bc40

    Download Submit

  • memory/4124-9-0x0000000000400000-0x0000000001592000-memory.dmp

    Filesize

    17.6MB

    Download