Extracted

• • Target

    officedeploymenttool_18227-20162.exe

  • Size

    37.5MB

  • MD5

    d85711a9d52862c3e538d79217244059

  • SHA1

    3ed74e38b09b34db3add5fb2c1f4debb66651987

  • SHA256

    b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96

  • SHA512

    7858369ea6aead310ce6524699301958167914453e7d83849b62088e58c8ef318a75e14da637434340f15e01acbe623337a7d1a06e15ea18c3c32b15d8e843ae

  • SSDEEP

    786432:vhP/Hle221VnfaWCXcbWDMzISiBddts4s0ACgz27e6fg8/KQxg6U5SeE+nz2E:vBlVsCFhDMzwds4s0oZ+g8CQxfYX6

  Score

  10^/10

  njratxmrigcykadefense_evasiondiscoveryminerpersistenceprivilege_escalationpyinstallertrojanupxcollectioncredential_accessexecutionspywarestealer

  • Njrat family

    njrat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xmrig family

    xmrig

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Contacts a large (841) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Modifies Windows Firewall

    defense_evasion

  • Stops running service(s)

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2