Overview

overview

10

Static

static

10

brootForce.exe

windows7-x64

10

brootForce.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    900s
  • max time network
    886s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2025 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brootForce.exe

  • Size

    167KB

  • MD5

    3964190fb6503039acf4c590f1e22b6a

  • SHA1

    4201a8f44d2c449e47704ea37351589e51ee1e29

  • SHA256

    7c1978631c42844ab98a3580b131b5b279087b9ed2a955c0ff8c22f557ee900e

  • SHA512

    b1fffbb9cd0609440648542e73ed76399eef8e9c39a79bea890ca6c7d1026ebdb30fc5ce9786bff274fe659a7a482a60b514a38fc56a42165a5b8c6e0ed7664c

  • SSDEEP

    3072:e2qK4C4BoN36t4QviFC0MBn3fWl9zWaF9bPYvM9UJ8T2SXZyrgoBJtbN/3MCK2kV:eKP9zgvMx/JdSI5eb

Score
10/10
njrathackeddiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:16168

Mutex

svchost.exe

Attributes
  • reg_key

    svchost.exe

  • splitter

    |Ghost|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brootForce.exe
    "C:\Users\Admin\AppData\Local\Temp\brootForce.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im discord.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:2664
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\brootForce.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2640
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {FA9F1937-D134-46D0-B182-1BF547D4888C} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1280
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2024
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1488
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1644
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2860
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:988
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:828
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1972
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:836
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1776
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1900
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2428
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:304
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2244
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchost.exe
    Filesize

    167KB

    MD5

    3964190fb6503039acf4c590f1e22b6a

    SHA1

    4201a8f44d2c449e47704ea37351589e51ee1e29

    SHA256

    7c1978631c42844ab98a3580b131b5b279087b9ed2a955c0ff8c22f557ee900e

    SHA512

    b1fffbb9cd0609440648542e73ed76399eef8e9c39a79bea890ca6c7d1026ebdb30fc5ce9786bff274fe659a7a482a60b514a38fc56a42165a5b8c6e0ed7664c

    Download Submit

  • memory/1928-0-0x00000000747B1000-0x00000000747B2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1928-1-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1928-2-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1928-10-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2200-11-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2200-9-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2200-15-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download