Analysis
-
max time kernel
149s -
max time network
199s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-09-2021 07:31
Static task
static1
Behavioral task
behavioral1
Sample
6CF07AB2FF64200E8CD38602D14BC566.exe
Resource
win7v20210408
General
-
Target
6CF07AB2FF64200E8CD38602D14BC566.exe
-
Size
1.2MB
-
MD5
6cf07ab2ff64200e8cd38602d14bc566
-
SHA1
74edddc5fa816ecd47bb0a90b4ed605e1b8e8e6b
-
SHA256
7a5ea108c883639b28770a677217474e15e8e26a141b13cefd59100f72c3a598
-
SHA512
a47d91fb8c9f3edeb18897989f93ff8e5a2f90a4fa19f512983512238597988e5b490ebd1595dcd0aaf294c222a51d3c10da5ea013bccb0948e538ee00b8bbe1
Malware Config
Extracted
njrat
0.7d
HacKed
4.tcp.ngrok.io:14914
Windows Update
-
reg_key
Windows Update
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1508 Tempwinlogon.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
cscript.exepid process 1216 cscript.exe 1216 cscript.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6CF07AB2FF64200E8CD38602D14BC566.exepid process 2000 6CF07AB2FF64200E8CD38602D14BC566.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Tempwinlogon.exedescription pid process Token: SeDebugPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe Token: 33 1508 Tempwinlogon.exe Token: SeIncBasePriorityPrivilege 1508 Tempwinlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6CF07AB2FF64200E8CD38602D14BC566.exepid process 2000 6CF07AB2FF64200E8CD38602D14BC566.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6CF07AB2FF64200E8CD38602D14BC566.execscript.exeTempwinlogon.exedescription pid process target process PID 2000 wrote to memory of 1216 2000 6CF07AB2FF64200E8CD38602D14BC566.exe cscript.exe PID 2000 wrote to memory of 1216 2000 6CF07AB2FF64200E8CD38602D14BC566.exe cscript.exe PID 2000 wrote to memory of 1216 2000 6CF07AB2FF64200E8CD38602D14BC566.exe cscript.exe PID 2000 wrote to memory of 1216 2000 6CF07AB2FF64200E8CD38602D14BC566.exe cscript.exe PID 1216 wrote to memory of 1508 1216 cscript.exe Tempwinlogon.exe PID 1216 wrote to memory of 1508 1216 cscript.exe Tempwinlogon.exe PID 1216 wrote to memory of 1508 1216 cscript.exe Tempwinlogon.exe PID 1216 wrote to memory of 1508 1216 cscript.exe Tempwinlogon.exe PID 1508 wrote to memory of 1016 1508 Tempwinlogon.exe netsh.exe PID 1508 wrote to memory of 1016 1508 Tempwinlogon.exe netsh.exe PID 1508 wrote to memory of 1016 1508 Tempwinlogon.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6CF07AB2FF64200E8CD38602D14BC566.exe"C:\Users\Admin\AppData\Local\Temp\6CF07AB2FF64200E8CD38602D14BC566.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cscript.exe"cscript" C:\Users\Admin\AppData\Local\Temp\5EE2.tmp\aaa11.vbs2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Tempwinlogon.exe" "Tempwinlogon.exe" ENABLE4⤵PID:1016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5EE2.tmp\aaa11.vbsMD5
89a247e6bf33711ef8ac5c694b3c7f77
SHA1659da18a6a291f0a3f3b9f0d8321cc9f13c9862a
SHA2563b0a43587507dce1d5a779521077fd0827f81a0d3b313f67f64c79f1b9687b5d
SHA512699f4f3b8db597c92c9ee69ca7bd23e02f0470a76e9e78f27b65a8f5f2bedbd02b9b923afa557fd88dd0f196fb9b3e8bb86a4f6aa64ac1d51b60d98632840371
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeMD5
28da331bcc74c6bf3fef61a4b0082b5f
SHA1648c5e8c4299ad0be01af2941dbc3ccf93534a08
SHA2566188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124
SHA5124783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeMD5
28da331bcc74c6bf3fef61a4b0082b5f
SHA1648c5e8c4299ad0be01af2941dbc3ccf93534a08
SHA2566188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124
SHA5124783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b
-
\Users\Admin\AppData\Local\Tempwinlogon.exeMD5
28da331bcc74c6bf3fef61a4b0082b5f
SHA1648c5e8c4299ad0be01af2941dbc3ccf93534a08
SHA2566188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124
SHA5124783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b
-
\Users\Admin\AppData\Local\Tempwinlogon.exeMD5
28da331bcc74c6bf3fef61a4b0082b5f
SHA1648c5e8c4299ad0be01af2941dbc3ccf93534a08
SHA2566188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124
SHA5124783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b
-
memory/1016-70-0x0000000000000000-mapping.dmp
-
memory/1016-71-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1216-60-0x0000000000000000-mapping.dmp
-
memory/1508-65-0x0000000000000000-mapping.dmp
-
memory/1508-69-0x0000000001F80000-0x0000000001F82000-memory.dmpFilesize
8KB
-
memory/1508-68-0x000007FEF2D70000-0x000007FEF3E06000-memory.dmpFilesize
16.6MB
-
memory/2000-59-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB