Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-09-2021 17:51
Behavioral task
behavioral1
Sample
a49637acb8f867866fc338b878145b3c.exe
Resource
win7-en
General
-
Target
a49637acb8f867866fc338b878145b3c.exe
-
Size
103KB
-
MD5
a49637acb8f867866fc338b878145b3c
-
SHA1
1d00ebe1334ff83baed5c5088977199dd3a2067d
-
SHA256
dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
-
SHA512
6965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
Malware Config
Extracted
njrat
im523
dlbyte
8.tcp.ngrok.io:11904
77d2e2c7d5fea9d8d12fca7c2a7a3030
-
reg_key
77d2e2c7d5fea9d8d12fca7c2a7a3030
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
SyByteUI.exepid process 3000 SyByteUI.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SyByteUI.exepid process 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe 3000 SyByteUI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SyByteUI.exepid process 3000 SyByteUI.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
SyByteUI.exedescription pid process Token: SeDebugPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe Token: 33 3000 SyByteUI.exe Token: SeIncBasePriorityPrivilege 3000 SyByteUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a49637acb8f867866fc338b878145b3c.exeSyByteUI.exedescription pid process target process PID 1096 wrote to memory of 3000 1096 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 1096 wrote to memory of 3000 1096 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 1096 wrote to memory of 3000 1096 a49637acb8f867866fc338b878145b3c.exe SyByteUI.exe PID 3000 wrote to memory of 1200 3000 SyByteUI.exe netsh.exe PID 3000 wrote to memory of 1200 3000 SyByteUI.exe netsh.exe PID 3000 wrote to memory of 1200 3000 SyByteUI.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a49637acb8f867866fc338b878145b3c.exe"C:\Users\Admin\AppData\Local\Temp\a49637acb8f867866fc338b878145b3c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SyByteUI.exe"C:\Users\Admin\AppData\Local\Temp\SyByteUI.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SyByteUI.exe" "SyByteUI.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SyByteUI.exeMD5
a49637acb8f867866fc338b878145b3c
SHA11d00ebe1334ff83baed5c5088977199dd3a2067d
SHA256dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
SHA5126965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
-
C:\Users\Admin\AppData\Local\Temp\SyByteUI.exeMD5
a49637acb8f867866fc338b878145b3c
SHA11d00ebe1334ff83baed5c5088977199dd3a2067d
SHA256dac1dc3a6ccefe51ee7d3346b43ee90aeb924c79ac0a12e7d3b20b49d168479a
SHA5126965f4a7006767ecc18915f97f25e9f648cfde188ced651a645e2dee56da6eb1020143c809b28e032c95126111453b60796193148bf17800e08776d07982e03e
-
memory/1096-114-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/1200-119-0x0000000000000000-mapping.dmp
-
memory/3000-115-0x0000000000000000-mapping.dmp
-
memory/3000-118-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB