Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 13:55

General

  • Target

    20f6117d283429b37fe69bac1c359ae2.exe

  • Size

    483KB

  • MD5

    20f6117d283429b37fe69bac1c359ae2

  • SHA1

    b7da29f00ccbc21afcdee37e555881bbeafc8dd3

  • SHA256

    0c8e9450e4da34f82d2c7dc00dc2969fd1557fd074ba1ba5e743cfeebd010634

  • SHA512

    f989093dcc5c5bad8bd4d6224d5153170f1f3be5f563c79ef0bdf4684abc4174a2d4c47b6f81eceb931cbb1077a35f0948a45bd09605430778e0f05c7b9d2db6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victima

C2

ctaenl.hopto.org:5552

Mutex

a051d95b93b260b31c1eaef96aa2d0fa

Attributes
  • reg_key

    a051d95b93b260b31c1eaef96aa2d0fa

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20f6117d283429b37fe69bac1c359ae2.exe
    "C:\Users\Admin\AppData\Local\Temp\20f6117d283429b37fe69bac1c359ae2.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\w1p4v\yccov.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3252
      • C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
        "C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:192
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && move C:\xNgHYmxNgHYm\xNgHYm.vbs "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xNgHYm.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3200
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:3948
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
            5⤵
              PID:2288
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2220
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
                6⤵
                  PID:3816

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Scripting

      1
      T1064

      Persistence

      Modify Existing Service

      1
      T1031

      Defense Evasion

      Scripting

      1
      T1064

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
        MD5

        0ed4bb653dccc67fa9a37422c5bb587f

        SHA1

        06c3aab82c709b5e4353fc8090bd9b565ea85498

        SHA256

        3cefd35a9cd76871ee2d5faf20926d503dc707150e08e73ed6d6c80f10be273b

        SHA512

        b70f0619ba0910a42293f1071092a4c43b690c08619a4c0f1f8fd7d31ec869c82775fc848f4ccb5f08ca8cc2140e110b6a75157201cf2cb9517b1126f42faf20

      • C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
        MD5

        0ed4bb653dccc67fa9a37422c5bb587f

        SHA1

        06c3aab82c709b5e4353fc8090bd9b565ea85498

        SHA256

        3cefd35a9cd76871ee2d5faf20926d503dc707150e08e73ed6d6c80f10be273b

        SHA512

        b70f0619ba0910a42293f1071092a4c43b690c08619a4c0f1f8fd7d31ec869c82775fc848f4ccb5f08ca8cc2140e110b6a75157201cf2cb9517b1126f42faf20

      • C:\Users\Admin\AppData\Local\Temp\w1p4v\x
        MD5

        2ae6b6660839dc98ab178a4f8b4267aa

        SHA1

        f1fb13fd962bf7779f13d0c9d37c5d252cdc726f

        SHA256

        645babf81e154bb6f4582fa5bdf63187b2b77ee0d0e4058cf342907c37972534

        SHA512

        67e747ec0800fb8015aec8162d9ee06cba8a79f23b08b80cb44b037d4e885aad886c516e5dacec1ce6b9547e3ad6356003783e351c7210d47d66400bc3b12d51

      • C:\Users\Admin\AppData\Local\Temp\w1p4v\yccov.vbs
        MD5

        85d670b0e028eb13daa56193f4565b01

        SHA1

        bb6b7c6c2abd32658f85f511de9ec1f2de702f0f

        SHA256

        4e022fedf5bc6b7714c96b6c8e6247d7dd6a0313dec890f9a24e1962e57bf22c

        SHA512

        c7e1181b7d777e1ef7a0dc90ae05b2a2ab166459c7f1c3805291902ed8343c5fc70b6e8734753e4e65023d7065c995b25468f109612c8aab52d365ba19cd4701

      • C:\xNgHYmxNgHYm\xNgHYm.vbs
        MD5

        467cc35796c2abc2dfe8caf6a3b034e2

        SHA1

        85008cbf4ccbaac7a53dfa9a63a4b5c2badda34e

        SHA256

        13684703bf92bb87876e01e16a9001318cb168ca1c7c7a38718e39f7fb89c290

        SHA512

        b7ba5a0c0a83f02578d70b7b3e2c197f25145753ddd77f83a195ffdd3a5d9a12ce0c1543cdfd339c981512892f599477a68f268b3e9473e94520ec879ad97a09

      • memory/192-171-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-70-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-9-0x0000000000422660-mapping.dmp
      • memory/192-10-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

      • memory/192-11-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

      • memory/192-281-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-276-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-274-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-275-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-256-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-18-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-17-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-19-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-24-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-23-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-255-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-32-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-69-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-71-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-8-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

      • memory/192-72-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-82-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-83-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-122-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-129-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-131-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-163-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-170-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-254-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-189-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/192-248-0x0000000003480000-0x0000000003481000-memory.dmp
        Filesize

        4KB

      • memory/192-249-0x0000000003C80000-0x0000000003C81000-memory.dmp
        Filesize

        4KB

      • memory/2220-16-0x000000000040747E-mapping.dmp
      • memory/2220-15-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

      • memory/2816-5-0x0000000000000000-mapping.dmp
      • memory/3200-12-0x0000000000000000-mapping.dmp
      • memory/3252-2-0x0000000000000000-mapping.dmp
      • memory/3816-31-0x0000000000000000-mapping.dmp
      • memory/3948-13-0x0000000000000000-mapping.dmp