Overview

overview

10

Static

static

3

1c8368db62...99.exe

windows7-x64

7

1c8368db62...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c8368db627fc2772484d28c8685eb99.exe

  • Size

    6.8MB

  • MD5

    1c8368db627fc2772484d28c8685eb99

  • SHA1

    3850f2b066c1df55c70d63b6d89eb6854fb24df1

  • SHA256

    c9da3969931b59d99a6b21cfabd2677c6c58b848d0a6b19b8c1a9112a2e61e21

  • SHA512

    6e25b79aad59b0ad43ea855ccbeb343dfc51310d9a56ef10dbc6654cff80c2546a87213aed3c09fb524a448aa3d1fc54ae99b9a63933fd3e1ab2c52aee436393

  • SSDEEP

    196608:OJoCz3uizalBzSTIj5JvIe7Vs9oxUDXj8jGphb:YuPzRBIe7VB8T3l

Score
10/10
njrat-defense_evasiondiscoverypersistenceprivilege_escalationpyinstallertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

-

C2

5.tcp.eu.ngrok.io:15938

Mutex

76f76913a3057d2193e27e6377b7ae49

Attributes
  • reg_key

    76f76913a3057d2193e27e6377b7ae49

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c8368db627fc2772484d28c8685eb99.exe
    "C:\Users\Admin\AppData\Local\Temp\1c8368db627fc2772484d28c8685eb99.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\final986987.exe
      "C:\Users\Admin\AppData\Local\Temp\final986987.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Users\Admin\AppData\Local\Temp\final986987.exe
        "C:\Users\Admin\AppData\Local\Temp\final986987.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c echo %temp%
          4⤵
            PID:1236
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4720
            • C:\Users\Admin\AppData\Local\Temp\INST.exe
              C:\Users\Admin\AppData\Local\Temp\INST.exe
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:640
              • C:\Users\Admin\AppData\Roaming\Discord.exe
                "C:\Users\Admin\AppData\Roaming\Discord.exe"
                6⤵
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4000
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Discord.exe" "Discord.exe" ENABLE
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3428

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\INST.exe
      Filesize

      37KB

      MD5

      e15f1ae07241a0e093f2fc79dc218011

      SHA1

      78ca680266cdc6ebdf880be1a495ec551921320f

      SHA256

      f88d09ebfce239bf3bcc4aaf30da363d3ae1fe938a7877af241884f63385c3aa

      SHA512

      f6ca9c285ac1071e721478fa21a1ec128117bad47b6e7daa3703223de2b582391c42ba83b8ed2a906470307eda70f6657055f6d153dacebfc89df5bc47604cdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI46562\VCRUNTIME140.dll
      Filesize

      106KB

      MD5

      870fea4e961e2fbd00110d3783e529be

      SHA1

      a948e65c6f73d7da4ffde4e8533c098a00cc7311

      SHA256

      76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

      SHA512

      0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI46562\base_library.zip
      Filesize

      1.7MB

      MD5

      948430bbba768d83a37fc725d7d31fbb

      SHA1

      e00d912fe85156f61fd8cd109d840d2d69b9629b

      SHA256

      65ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df

      SHA512

      aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI46562\python311.dll
      Filesize

      5.5MB

      MD5

      1fe47c83669491bf38a949253d7d960f

      SHA1

      de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

      SHA256

      0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

      SHA512

      05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\final986987.exe
      Filesize

      6.6MB

      MD5

      ef12eb5be4046a8d70e864d3b623bb2d

      SHA1

      cf28f12a882cd8dfa1b280c2254013a7908d1984

      SHA256

      e5cf853398bcdd00fa6925a007cb7683e61d35c11ec641da44c419fd66d66dab

      SHA512

      89c7b5eb7170c58d80b893cbe4e65556f6b8a640321fe390c8c3acd13e2ae786ea9462a6b1db8342fbc107e1575a7dd84051f2aefd6baf94be360bf818d68d4d

      Download Submit

    • memory/640-32-0x00000000749D2000-0x00000000749D3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/640-33-0x00000000749D0000-0x0000000074F81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/640-34-0x00000000749D0000-0x0000000074F81000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/640-44-0x00000000749D0000-0x0000000074F81000-memory.dmp

      Filesize

      5.7MB

      Download