Overview

overview

10

Static

static

3

d2f88089c3...ab.exe

windows7-x64

10

d2f88089c3...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2f88089c3d5494c19db88bed2ff3fab.exe

  • Size

    9.5MB

  • MD5

    d2f88089c3d5494c19db88bed2ff3fab

  • SHA1

    6b4dccd3aedd879ac396e077411c22187f29a4fe

  • SHA256

    365e01b07587c756e5fb6244134dc503907fca97402f977724acda871f38a563

  • SHA512

    1d001d453eb7c97bec2a6562dda086420ecbbf432b57c90e31178d23f65df33272eeffcbda5c4b03507bf93f381d99a683c40491a898c0ee2cee949483d8c262

  • SSDEEP

    196608:O8sRcBDzf4LBIP6dL2Vmd6+DlulOToPVIn+LH/+z3+07MmQZwS1rlzy:eszf490qL2Vmd6mlFTodIn+LH/+zy+SP

Score
10/10
njrathackedevasionpersistenceprivilege_escalationpyinstallertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

gcpanel.hackcrack.io:15508

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2f88089c3d5494c19db88bed2ff3fab.exe
    "C:\Users\Admin\AppData\Local\Temp\d2f88089c3d5494c19db88bed2ff3fab.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2632
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:588
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1800
            • C:\Windows\system32\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2160
    • C:\Users\Admin\AppData\Local\Temp\phone_gen .exe
      "C:\Users\Admin\AppData\Local\Temp\phone_gen .exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Users\Admin\AppData\Local\Temp\phone_gen .exe
        "C:\Users\Admin\AppData\Local\Temp\phone_gen .exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    461KB

    MD5

    ee76425b767c9ab812a53c133b8363f8

    SHA1

    1daa4700a5f1849eb7e810986ac24bd58786da61

    SHA256

    f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747

    SHA512

    004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI27402\python310.dll
    Filesize

    4.2MB

    MD5

    7e45e4d723e4775f6e26628315f370ad

    SHA1

    76a8104c5d073c6f7619872426d440bcabd18bb9

    SHA256

    7cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882

    SHA512

    4e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\phone_gen .exe
    Filesize

    9.0MB

    MD5

    1f8257c97c37478f9c1293416ccbf03c

    SHA1

    512be8e084e2a8f42d5c71a7ef802de7a136b2cb

    SHA256

    15c590d3c6be2c0451b892b8e37f16d8d8051e31afa857aec0debf6165268d54

    SHA512

    1c4a4d7d5a87a1ec1ff4a0ea0757e5013ea6760617925ac679e00994a70312df0079eddc5bdf4d3427045adbe49f6e2237f38fec32071518753794ec1821fb28

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    238KB

    MD5

    e5346953e507542ef5f87d1ed1510d64

    SHA1

    d3ac56ed0c1fb65ca1d786d740cc653e7bb0315c

    SHA256

    6b359ae1c40430addcdf18d1832e7551e99aac978ea90bed1567edb2e378576f

    SHA512

    a03a9d9a4529c9997298708dcfb887dca5ea90419f30f01980bbedc9a9929581c0526667c4648c66a58582a22049c62eff75a19134730f0e50b6c7ceb368c265

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    325KB

    MD5

    f36e535fdc82208fca08acfa44f790c6

    SHA1

    a3cc1aa7d614094faebada2aed1e6c519bd18c94

    SHA256

    51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc

    SHA512

    631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip
    Filesize

    275KB

    MD5

    d64c44bbca049d3f19402c195840c33f

    SHA1

    cd7b0eff352490ad82953ee5cb1314d1a5e6311d

    SHA256

    f6533a93d1fe59bfe49976a24c0c828ade9981d5e94d7882f2460b533c8c3843

    SHA512

    de7a1e074ee5dc56e1f01112a5f613dcd2ce1dfd1d7e72d464b46789e750eb286f79d5c4d801984239a4505314ab0221d1bb62d08ddc7961c34cd466b558780b

    Download Submit
  • memory/588-108-0x0000000000590000-0x000000000059C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1228-25-0x00000000004D0000-0x00000000004FA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1412-1-0x0000000001000000-0x0000000001988000-memory.dmp
    Filesize

    9.5MB

    Download
  • memory/1412-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-60-0x000007FEF5980000-0x000007FEF636C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2632-61-0x000007FEF5980000-0x000007FEF636C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2632-16-0x00000000012D0000-0x0000000001348000-memory.dmp
    Filesize

    480KB

    Download
  • memory/2828-67-0x00000000002C0000-0x00000000002C8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2828-66-0x0000000000BF0000-0x0000000000C46000-memory.dmp
    Filesize

    344KB

    Download