Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
14-09-2021 23:52
Static task
static1
Behavioral task
behavioral1
Sample
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
Resource
win10v20210408
General
-
Target
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
-
Size
40KB
-
MD5
1e59602b94507836f0fddb82d8c7ac04
-
SHA1
1374bfc9639ae6583e79eb3cbd120a890dc3cb6b
-
SHA256
2eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
-
SHA512
8e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 1 IoCs
Processes:
ccleaner.exepid process 1632 ccleaner.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ccleaner.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\120f7699ed5fd0a293b307d4bfc80aa2 = "\"C:\\ProgramData\\ccleaner.exe\" .." ccleaner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\120f7699ed5fd0a293b307d4bfc80aa2 = "\"C:\\ProgramData\\ccleaner.exe\" .." ccleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
ccleaner.exedescription pid process Token: SeDebugPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe Token: 33 1632 ccleaner.exe Token: SeIncBasePriorityPrivilege 1632 ccleaner.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.execcleaner.execmd.exedescription pid process target process PID 1960 wrote to memory of 1632 1960 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 1960 wrote to memory of 1632 1960 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 1960 wrote to memory of 1632 1960 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 1632 wrote to memory of 568 1632 ccleaner.exe netsh.exe PID 1632 wrote to memory of 568 1632 ccleaner.exe netsh.exe PID 1632 wrote to memory of 568 1632 ccleaner.exe netsh.exe PID 1632 wrote to memory of 1548 1632 ccleaner.exe netsh.exe PID 1632 wrote to memory of 1548 1632 ccleaner.exe netsh.exe PID 1632 wrote to memory of 1548 1632 ccleaner.exe netsh.exe PID 1632 wrote to memory of 1504 1632 ccleaner.exe cmd.exe PID 1632 wrote to memory of 1504 1632 ccleaner.exe cmd.exe PID 1632 wrote to memory of 1504 1632 ccleaner.exe cmd.exe PID 1504 wrote to memory of 1728 1504 cmd.exe PING.EXE PID 1504 wrote to memory of 1728 1504 cmd.exe PING.EXE PID 1504 wrote to memory of 1728 1504 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe"C:\Users\Admin\AppData\Local\Temp\2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ccleaner.exe"C:\ProgramData\ccleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\ccleaner.exe" "ccleaner.exe" ENABLE3⤵
-
C:\Windows\system32\netsh.exenetsh firewall delete allowedprogram "C:\ProgramData\ccleaner.exe"3⤵
-
C:\Windows\system32\cmd.execmd.exe /c ping 0 -n 2 & del "C:\ProgramData\ccleaner.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 0 -n 24⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ccleaner.exeMD5
1e59602b94507836f0fddb82d8c7ac04
SHA11374bfc9639ae6583e79eb3cbd120a890dc3cb6b
SHA2562eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
SHA5128e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
-
C:\ProgramData\ccleaner.exeMD5
1e59602b94507836f0fddb82d8c7ac04
SHA11374bfc9639ae6583e79eb3cbd120a890dc3cb6b
SHA2562eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
SHA5128e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
-
memory/568-60-0x0000000000000000-mapping.dmp
-
memory/568-61-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1504-64-0x0000000000000000-mapping.dmp
-
memory/1548-63-0x0000000000000000-mapping.dmp
-
memory/1632-59-0x0000000000AD0000-0x0000000000AD2000-memory.dmpFilesize
8KB
-
memory/1632-58-0x000007FEEDBB0000-0x000007FEEEC46000-memory.dmpFilesize
16.6MB
-
memory/1632-62-0x0000000000AD6000-0x0000000000AF5000-memory.dmpFilesize
124KB
-
memory/1632-55-0x0000000000000000-mapping.dmp
-
memory/1728-66-0x0000000000000000-mapping.dmp
-
memory/1960-53-0x000007FEF2930000-0x000007FEF39C6000-memory.dmpFilesize
16.6MB
-
memory/1960-54-0x00000000020F0000-0x00000000020F2000-memory.dmpFilesize
8KB