Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-08-2021 22:26
Static task
static1
Behavioral task
behavioral1
Sample
41D2BC2F99C931544191A407A64D93EB.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
41D2BC2F99C931544191A407A64D93EB.exe
Resource
win10v20210408
General
-
Target
41D2BC2F99C931544191A407A64D93EB.exe
-
Size
123KB
-
MD5
41d2bc2f99c931544191a407a64d93eb
-
SHA1
7773c4947f7f8e1b7e4c5a79a519ef0ef73c71f7
-
SHA256
1e39e682bcc7bc56e68b22787bfd53e2346f67bd1dad4cc374b65a8e54b1b0e1
-
SHA512
bab88c67972968c3fb0ac68f76044be812a49815ca081f548b945af3e765ae4ee42abfdb51ae3a851d83e01724ebaaa34de5091bec9424038d55ab6dd425cd19
Malware Config
Extracted
njrat
0.7d
Victem New
test0day.zapto.org:1919
97c8dd348a81752049fc479a7db09101
-
reg_key
97c8dd348a81752049fc479a7db09101
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Notpsd.exepid process 1636 Notpsd.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Notpsd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97c8dd348a81752049fc479a7db09101.exe Notpsd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97c8dd348a81752049fc479a7db09101.exe Notpsd.exe -
Loads dropped DLL 1 IoCs
Processes:
41D2BC2F99C931544191A407A64D93EB.exepid process 1084 41D2BC2F99C931544191A407A64D93EB.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Notpsd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\97c8dd348a81752049fc479a7db09101 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Notpsd.exe\" .." Notpsd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\97c8dd348a81752049fc479a7db09101 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Notpsd.exe\" .." Notpsd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Notpsd.exedescription pid process Token: SeDebugPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe Token: 33 1636 Notpsd.exe Token: SeIncBasePriorityPrivilege 1636 Notpsd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
41D2BC2F99C931544191A407A64D93EB.exeNotpsd.exedescription pid process target process PID 1084 wrote to memory of 1636 1084 41D2BC2F99C931544191A407A64D93EB.exe Notpsd.exe PID 1084 wrote to memory of 1636 1084 41D2BC2F99C931544191A407A64D93EB.exe Notpsd.exe PID 1084 wrote to memory of 1636 1084 41D2BC2F99C931544191A407A64D93EB.exe Notpsd.exe PID 1084 wrote to memory of 1636 1084 41D2BC2F99C931544191A407A64D93EB.exe Notpsd.exe PID 1636 wrote to memory of 756 1636 Notpsd.exe netsh.exe PID 1636 wrote to memory of 756 1636 Notpsd.exe netsh.exe PID 1636 wrote to memory of 756 1636 Notpsd.exe netsh.exe PID 1636 wrote to memory of 756 1636 Notpsd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41D2BC2F99C931544191A407A64D93EB.exe"C:\Users\Admin\AppData\Local\Temp\41D2BC2F99C931544191A407A64D93EB.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\Notpsd.exe"C:\Users\Admin\AppData\Local\Temp\Notpsd.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Notpsd.exe" "Notpsd.exe" ENABLE3⤵PID:756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
41d2bc2f99c931544191a407a64d93eb
SHA17773c4947f7f8e1b7e4c5a79a519ef0ef73c71f7
SHA2561e39e682bcc7bc56e68b22787bfd53e2346f67bd1dad4cc374b65a8e54b1b0e1
SHA512bab88c67972968c3fb0ac68f76044be812a49815ca081f548b945af3e765ae4ee42abfdb51ae3a851d83e01724ebaaa34de5091bec9424038d55ab6dd425cd19
-
MD5
41d2bc2f99c931544191a407a64d93eb
SHA17773c4947f7f8e1b7e4c5a79a519ef0ef73c71f7
SHA2561e39e682bcc7bc56e68b22787bfd53e2346f67bd1dad4cc374b65a8e54b1b0e1
SHA512bab88c67972968c3fb0ac68f76044be812a49815ca081f548b945af3e765ae4ee42abfdb51ae3a851d83e01724ebaaa34de5091bec9424038d55ab6dd425cd19
-
MD5
41d2bc2f99c931544191a407a64d93eb
SHA17773c4947f7f8e1b7e4c5a79a519ef0ef73c71f7
SHA2561e39e682bcc7bc56e68b22787bfd53e2346f67bd1dad4cc374b65a8e54b1b0e1
SHA512bab88c67972968c3fb0ac68f76044be812a49815ca081f548b945af3e765ae4ee42abfdb51ae3a851d83e01724ebaaa34de5091bec9424038d55ab6dd425cd19