Overview

overview

10

Static

static

10

bfccbd145f...11.exe

windows7-x64

10

bfccbd145f...11.exe

windows10-2004-x64

10

bff2e9336d...1b.exe

windows7-x64

10

bff2e9336d...1b.exe

windows10-2004-x64

10

c015c769dc...7b.exe

windows7-x64

10

c015c769dc...7b.exe

windows10-2004-x64

10

c02e930808...0e.exe

windows7-x64

10

c02e930808...0e.exe

windows10-2004-x64

10

c050e8dee0...78.exe

windows7-x64

7

c050e8dee0...78.exe

windows10-2004-x64

7

c06923d356...32.exe

windows7-x64

10

c06923d356...32.exe

windows10-2004-x64

10

c08fd2b60b...1e.exe

windows7-x64

10

c08fd2b60b...1e.exe

windows10-2004-x64

10

c094e156e6...d4.exe

windows7-x64

10

c094e156e6...d4.exe

windows10-2004-x64

10

c0b8bc022f...59.exe

windows7-x64

10

c0b8bc022f...59.exe

windows10-2004-x64

10

c0c57bb195...b1.exe

windows7-x64

10

c0c57bb195...b1.exe

windows10-2004-x64

10

c119d7a5cb...95.exe

windows7-x64

10

c119d7a5cb...95.exe

windows10-2004-x64

10

c13d1bcad6...37.exe

windows7-x64

7

c13d1bcad6...37.exe

windows10-2004-x64

7

c15177ea36...ea.exe

windows7-x64

10

c15177ea36...ea.exe

windows10-2004-x64

7

c156b157a6...f2.exe

windows7-x64

10

c156b157a6...f2.exe

windows10-2004-x64

10

c16c4b10a7...5e.exe

windows7-x64

10

c16c4b10a7...5e.exe

windows10-2004-x64

10

c16e3df003...bf.exe

windows7-x64

9

c16e3df003...bf.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c15177ea36f2afdbf176de2a137587ea.exe

  • Size

    26KB

  • MD5

    c15177ea36f2afdbf176de2a137587ea

  • SHA1

    7dd50ee8fc28cf47c6aec26a329f96bca30ef66b

  • SHA256

    c886a602a924661c74be26d1f1123c152702f13126982dda2cde9f2cfee867a8

  • SHA512

    2acaffef03688a4b8382d336876323fcac6a06bda4a2b3235572d41e65800ccee80d747e7059185a4e5c28168263e61eb9f3093980c12661d34c7fa572df77a2

  • SSDEEP

    384:pLqW8nO4V7ngiJMroU9SPYiGGMdAQk93vmhm7UMKmIEecKdbXTzm9bVhcaA26KrZ:ZhVMgiOjdA/vMHTi9bDA

Score
10/10
njratlol checkerdiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

LoL Checker

C2

dawid10666-47477.portmap.host:47477

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c15177ea36f2afdbf176de2a137587ea.exe
    "C:\Users\Admin\AppData\Local\Temp\c15177ea36f2afdbf176de2a137587ea.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\LoL Checker.exe
      "C:\Users\Admin\AppData\Roaming\LoL Checker.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2880
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2748
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\LoL Checker.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\LoL Checker.exe
    Filesize

    26KB

    MD5

    c15177ea36f2afdbf176de2a137587ea

    SHA1

    7dd50ee8fc28cf47c6aec26a329f96bca30ef66b

    SHA256

    c886a602a924661c74be26d1f1123c152702f13126982dda2cde9f2cfee867a8

    SHA512

    2acaffef03688a4b8382d336876323fcac6a06bda4a2b3235572d41e65800ccee80d747e7059185a4e5c28168263e61eb9f3093980c12661d34c7fa572df77a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    Filesize

    1KB

    MD5

    aab0594dc0ccf72394edb0350a86b3f1

    SHA1

    213f977d9d4b23d8ad554e86c2993d373bab6302

    SHA256

    cbd65a8650c6b50d91ccdede66a06aaf39709cbe2a8e18d0c96c7d5cbd8506ca

    SHA512

    dc4fd43d6641c93aed49613704bffab906cbc10f2aa7a3945ce02e6eff299c165cd459e8b047e836ae38871517bfdfe9b2e1fa59b45f9e28d429866b739da16e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    Filesize

    1018B

    MD5

    e1d45e45044687dab3a6d0632db13944

    SHA1

    899a5d21fc82511f1958f529f7a8cb07fca318a9

    SHA256

    cf1c0a075333927031717773ab95451514e865ea03dfbbadfb4ec20316af0149

    SHA512

    7643e22b5b86ef3847ca78aa6c6bd6f00823e5277832750cf4bf00975088a7dfb4143ab97c50ebbac4698b062e452aaf01efc070fc3801cb82659800bed66690

    Download Submit

  • memory/2392-19-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2392-26-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2392-25-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2392-18-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2392-24-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-5-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-17-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-16-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download