Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en -
submitted
04-09-2021 17:51
Behavioral task
behavioral1
Sample
a49637acb8f867866fc338b878145b3c.exe
Resource
win7-en
General
-
Target
a49637acb8f867866fc338b878145b3c.exe
-
Size
103KB
-
MD5
a49637acb8f867866fc338b878145b3c
-
SHA1
1d00ebe1334ff83baed5c5088977199dd3a2067d
-
SHA256
dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
-
SHA512
6965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
Malware Config
Extracted
njrat
im523
dlbyte
8.tcp.ngrok.io:11904
77d2e2c7d5fea9d8d12fca7c2a7a3030
-
reg_key
77d2e2c7d5fea9d8d12fca7c2a7a3030
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
SyByteUI.exepid process 1312 SyByteUI.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
a49637acb8f867866fc338b878145b3c.exepid process 1364 a49637acb8f867866fc338b878145b3c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SyByteUI.exepid process 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe 1312 SyByteUI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SyByteUI.exepid process 1312 SyByteUI.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
SyByteUI.exedescription pid process Token: SeDebugPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe Token: 33 1312 SyByteUI.exe Token: SeIncBasePriorityPrivilege 1312 SyByteUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a49637acb8f867866fc338b878145b3c.exeSyByteUI.exedescription pid process target process PID 1364 wrote to memory of 1312 1364 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 1364 wrote to memory of 1312 1364 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 1364 wrote to memory of 1312 1364 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 1364 wrote to memory of 1312 1364 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 1312 wrote to memory of 896 1312 SyByteUI.exe netsh.exe PID 1312 wrote to memory of 896 1312 SyByteUI.exe netsh.exe PID 1312 wrote to memory of 896 1312 SyByteUI.exe netsh.exe PID 1312 wrote to memory of 896 1312 SyByteUI.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a49637acb8f867866fc338b878145b3c.exe"C:\Users\Admin\AppData\Local\Temp\a49637acb8f867866fc338b878145b3c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SyByteUI.exe"C:\Users\Admin\AppData\Local\Temp\SyByteUI.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SyByteUI.exe" "SyByteUI.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SyByteUI.exeMD5
a49637acb8f867866fc338b878145b3c
SHA11d00ebe1334ff83baed5c5088977199dd3a2067d
SHA256dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
SHA5126965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
-
C:\Users\Admin\AppData\Local\Temp\SyByteUI.exeMD5
a49637acb8f867866fc338b878145b3c
SHA11d00ebe1334ff83baed5c5088977199dd3a2067d
SHA256dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
SHA5126965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
-
\Users\Admin\AppData\Local\Temp\SyByteUI.exeMD5
a49637acb8f867866fc338b878145b3c
SHA11d00ebe1334ff83baed5c5088977199dd3a2067d
SHA256dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
SHA5126965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
-
memory/896-60-0x0000000000000000-mapping.dmp
-
memory/1312-55-0x0000000000000000-mapping.dmp
-
memory/1312-59-0x0000000001FD0000-0x0000000001FD1000-memory.dmpFilesize
4KB
-
memory/1364-52-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/1364-53-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB