Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-09-2021 22:12
Static task
static1
Behavioral task
behavioral1
Sample
84bd6cb486f45bf0d92d2f259045febd.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
84bd6cb486f45bf0d92d2f259045febd.exe
Resource
win10v20210408
General
-
Target
84bd6cb486f45bf0d92d2f259045febd.exe
-
Size
761KB
-
MD5
84bd6cb486f45bf0d92d2f259045febd
-
SHA1
d6a8506acd3aa0f81555da8dab87efc70e8a20f4
-
SHA256
2b04dc24a677c5892b077491d6e794fe8758341919d363067aaed539f3dec2db
-
SHA512
bf072d5eff0acd67ac57bf23f4454d695c0e9e56b122f9133f50bc61daca1726d3ddf3c3648b8c0005d7a0153b23164888602b76ea0e657988c554b98ae52640
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
xxxxxxxxxx
pubg.ddns.net:147
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
FixWindowsUpdate.exepid process 2844 FixWindowsUpdate.exe -
Drops startup file 2 IoCs
Processes:
FixWindowsUpdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe FixWindowsUpdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe FixWindowsUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
FixWindowsUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\FixWindowsUpdate.exe\" .." FixWindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\FixWindowsUpdate.exe\" .." FixWindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
84bd6cb486f45bf0d92d2f259045febd.exeFixWindowsUpdate.exepid process 808 84bd6cb486f45bf0d92d2f259045febd.exe 2844 FixWindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
FixWindowsUpdate.exedescription pid process Token: SeDebugPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe Token: 33 2844 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2844 FixWindowsUpdate.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
84bd6cb486f45bf0d92d2f259045febd.exedescription pid process target process PID 808 wrote to memory of 2844 808 84bd6cb486f45bf0d92d2f259045febd.exe FixWindowsUpdate.exe PID 808 wrote to memory of 2844 808 84bd6cb486f45bf0d92d2f259045febd.exe FixWindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84bd6cb486f45bf0d92d2f259045febd.exe"C:\Users\Admin\AppData\Local\Temp\84bd6cb486f45bf0d92d2f259045febd.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exeMD5
84bd6cb486f45bf0d92d2f259045febd
SHA1d6a8506acd3aa0f81555da8dab87efc70e8a20f4
SHA2562b04dc24a677c5892b077491d6e794fe8758341919d363067aaed539f3dec2db
SHA512bf072d5eff0acd67ac57bf23f4454d695c0e9e56b122f9133f50bc61daca1726d3ddf3c3648b8c0005d7a0153b23164888602b76ea0e657988c554b98ae52640
-
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exeMD5
84bd6cb486f45bf0d92d2f259045febd
SHA1d6a8506acd3aa0f81555da8dab87efc70e8a20f4
SHA2562b04dc24a677c5892b077491d6e794fe8758341919d363067aaed539f3dec2db
SHA512bf072d5eff0acd67ac57bf23f4454d695c0e9e56b122f9133f50bc61daca1726d3ddf3c3648b8c0005d7a0153b23164888602b76ea0e657988c554b98ae52640
-
memory/808-114-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/808-116-0x0000000002730000-0x000000000273B000-memory.dmpFilesize
44KB
-
memory/808-117-0x0000000002830000-0x0000000002832000-memory.dmpFilesize
8KB
-
memory/2844-118-0x0000000000000000-mapping.dmp
-
memory/2844-124-0x000000001B7F0000-0x000000001B7F2000-memory.dmpFilesize
8KB