Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 15:28

General

  • Target

    099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be.exe

  • Size

    5.1MB

  • MD5

    455221845bfa315bccfe26dbf2148284

  • SHA1

    a0ceaa693c0b59d7d29b306ef95c7e362b1e5d3c

  • SHA256

    099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be

  • SHA512

    a3d37f5703ea0ef9f21cec193de1ef980202932e1fc0e6f4f0ed1623fd002ebaf1a3acacd058919c84c7234c99e77992ee84e898b97d277d3a8e9449b436a175

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cuidadonoip

C2

redlan1.hopto.org:5553

Mutex

ae9e817436635b16f6ddc3bfed8800fb

Attributes
  • reg_key

    ae9e817436635b16f6ddc3bfed8800fb

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be.exe
    "C:\Users\Admin\AppData\Local\Temp\099145c2e43747b2cb22755defd2eda3d470fb36644b0f79456ac7ee0e3ed6be.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\Nordvpn.exe
      "C:\Users\Admin\AppData\Local\Temp\Nordvpn.exe"
      2⤵
      • Executes dropped EXE
      PID:4012
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
        3⤵
          PID:4292

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Nordvpn.exe

      MD5

      e324a2a138171975017a01703f7f25c5

      SHA1

      72795be8fa85a9550ce048e776dc8cc93ff69001

      SHA256

      4789a7a58f6d8f72c60f5b55de162b440353827aac1caf0613733c9a47c3a364

      SHA512

      17244ca41ccb871932078f1f7a309e8f97dfe33bd0c28973102e83a7b5c7de4fa87e3885dbfbd4a7f8b758e7f279832931a7d37c9a65ffaaca2920a16336ed82

    • C:\Users\Admin\AppData\Local\Temp\Nordvpn.exe

      MD5

      e324a2a138171975017a01703f7f25c5

      SHA1

      72795be8fa85a9550ce048e776dc8cc93ff69001

      SHA256

      4789a7a58f6d8f72c60f5b55de162b440353827aac1caf0613733c9a47c3a364

      SHA512

      17244ca41ccb871932078f1f7a309e8f97dfe33bd0c28973102e83a7b5c7de4fa87e3885dbfbd4a7f8b758e7f279832931a7d37c9a65ffaaca2920a16336ed82

    • memory/4012-114-0x0000000000000000-mapping.dmp

    • memory/4012-117-0x0000000000850000-0x0000000000851000-memory.dmp

      Filesize

      4KB

    • memory/4012-118-0x00000000027D0000-0x0000000002829000-memory.dmp

      Filesize

      356KB

    • memory/4164-119-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/4164-125-0x000000000040748E-mapping.dmp

    • memory/4164-126-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

      Filesize

      4KB

    • memory/4292-127-0x0000000000000000-mapping.dmp

    • memory/4432-124-0x0000000005A60000-0x0000000005A61000-memory.dmp

      Filesize

      4KB