Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-12-2020 01:48

General

  • Target

    ZAgNhZBG.exe

  • Size

    23KB

  • MD5

    5859e656d5735eb9a1eeae9a94a3cc16

  • SHA1

    85c1ab9c6fe450a83fb2cc1681b45272020ce5a6

  • SHA256

    4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350

  • SHA512

    8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

xoruf.ddns.net:5552

Mutex

d8f3c9bf39e889408d972a936cea46cc

Attributes
  • reg_key

    d8f3c9bf39e889408d972a936cea46cc

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZAgNhZBG.exe
    "C:\Users\Admin\AppData\Local\Temp\ZAgNhZBG.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe" "Google Chrome.exe" ENABLE
        3⤵
          PID:632
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\3686021"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2940

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3686021
      MD5

      6d0e849b0647746facd7c73f03b4d366

      SHA1

      3138201a6608428b922bd86168b51cf80615bc91

      SHA256

      c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72

      SHA512

      3839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a

    • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
      MD5

      5859e656d5735eb9a1eeae9a94a3cc16

      SHA1

      85c1ab9c6fe450a83fb2cc1681b45272020ce5a6

      SHA256

      4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350

      SHA512

      8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68

    • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
      MD5

      5859e656d5735eb9a1eeae9a94a3cc16

      SHA1

      85c1ab9c6fe450a83fb2cc1681b45272020ce5a6

      SHA256

      4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350

      SHA512

      8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68

    • memory/632-5-0x0000000000000000-mapping.dmp
    • memory/1176-2-0x0000000000000000-mapping.dmp
    • memory/2940-6-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

    • memory/2940-7-0x00000000004700E0-mapping.dmp
    • memory/2940-8-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

    • memory/2940-9-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB