Analysis
-
max time kernel
170s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en -
submitted
08-09-2021 14:17
Behavioral task
behavioral1
Sample
08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe
Resource
win7v20210408
General
-
Target
08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe
-
Size
23KB
-
MD5
755bd609b015768d247077ccbf2a407a
-
SHA1
3484d468c4bda04f6c370118d03ab3ee5d1c43d0
-
SHA256
08b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1
-
SHA512
cbe706d7daf9167112257761085bc5fab214dae27a6637c1b9dcbdd6d539e7893a049c4c7a1c457cd668e14dc03b0352c4311918d8cf19cf4973da4ccdddc3c2
Malware Config
Extracted
njrat
0.7d
HacKed
win08.zapto.org:84
79627ac12211c58cdd3a218a06264901
-
reg_key
79627ac12211c58cdd3a218a06264901
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
contrasena.exepid process 3960 contrasena.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
contrasena.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79627ac12211c58cdd3a218a06264901.exe contrasena.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79627ac12211c58cdd3a218a06264901.exe contrasena.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
contrasena.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\79627ac12211c58cdd3a218a06264901 = "\"C:\\Users\\Admin\\AppData\\Roaming\\contrasena.exe\" .." contrasena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\79627ac12211c58cdd3a218a06264901 = "\"C:\\Users\\Admin\\AppData\\Roaming\\contrasena.exe\" .." contrasena.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
contrasena.exedescription pid process Token: SeDebugPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe Token: 33 3960 contrasena.exe Token: SeIncBasePriorityPrivilege 3960 contrasena.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.execontrasena.exedescription pid process target process PID 4000 wrote to memory of 3960 4000 08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe contrasena.exe PID 4000 wrote to memory of 3960 4000 08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe contrasena.exe PID 4000 wrote to memory of 3960 4000 08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe contrasena.exe PID 3960 wrote to memory of 3924 3960 contrasena.exe netsh.exe PID 3960 wrote to memory of 3924 3960 contrasena.exe netsh.exe PID 3960 wrote to memory of 3924 3960 contrasena.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe"C:\Users\Admin\AppData\Local\Temp\08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\contrasena.exe"C:\Users\Admin\AppData\Roaming\contrasena.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\contrasena.exe" "contrasena.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\contrasena.exeMD5
755bd609b015768d247077ccbf2a407a
SHA13484d468c4bda04f6c370118d03ab3ee5d1c43d0
SHA25608b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1
SHA512cbe706d7daf9167112257761085bc5fab214dae27a6637c1b9dcbdd6d539e7893a049c4c7a1c457cd668e14dc03b0352c4311918d8cf19cf4973da4ccdddc3c2
-
C:\Users\Admin\AppData\Roaming\contrasena.exeMD5
755bd609b015768d247077ccbf2a407a
SHA13484d468c4bda04f6c370118d03ab3ee5d1c43d0
SHA25608b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1
SHA512cbe706d7daf9167112257761085bc5fab214dae27a6637c1b9dcbdd6d539e7893a049c4c7a1c457cd668e14dc03b0352c4311918d8cf19cf4973da4ccdddc3c2
-
memory/3924-120-0x0000000000000000-mapping.dmp
-
memory/3960-116-0x0000000000000000-mapping.dmp
-
memory/3960-119-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/4000-115-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB