Analysis
-
max time kernel
70s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-09-2021 23:52
Static task
static1
Behavioral task
behavioral1
Sample
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
Resource
win10v20210408
General
-
Target
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
-
Size
40KB
-
MD5
1e59602b94507836f0fddb82d8c7ac04
-
SHA1
1374bfc9639ae6583e79eb3cbd120a890dc3cb6b
-
SHA256
2eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
-
SHA512
8e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 1 IoCs
Processes:
ccleaner.exepid process 3024 ccleaner.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ccleaner.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\120f7699ed5fd0a293b307d4bfc80aa2 = "\"C:\\ProgramData\\ccleaner.exe\" .." ccleaner.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\120f7699ed5fd0a293b307d4bfc80aa2 = "\"C:\\ProgramData\\ccleaner.exe\" .." ccleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
ccleaner.exedescription pid process Token: SeDebugPrivilege 3024 ccleaner.exe Token: 33 3024 ccleaner.exe Token: SeIncBasePriorityPrivilege 3024 ccleaner.exe Token: 33 3024 ccleaner.exe Token: SeIncBasePriorityPrivilege 3024 ccleaner.exe Token: 33 3024 ccleaner.exe Token: SeIncBasePriorityPrivilege 3024 ccleaner.exe Token: 33 3024 ccleaner.exe Token: SeIncBasePriorityPrivilege 3024 ccleaner.exe Token: 33 3024 ccleaner.exe Token: SeIncBasePriorityPrivilege 3024 ccleaner.exe Token: 33 3024 ccleaner.exe Token: SeIncBasePriorityPrivilege 3024 ccleaner.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.execcleaner.execmd.exedescription pid process target process PID 3728 wrote to memory of 3024 3728 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 3728 wrote to memory of 3024 3728 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 3024 wrote to memory of 1592 3024 ccleaner.exe netsh.exe PID 3024 wrote to memory of 1592 3024 ccleaner.exe netsh.exe PID 3024 wrote to memory of 748 3024 ccleaner.exe netsh.exe PID 3024 wrote to memory of 748 3024 ccleaner.exe netsh.exe PID 3024 wrote to memory of 696 3024 ccleaner.exe cmd.exe PID 3024 wrote to memory of 696 3024 ccleaner.exe cmd.exe PID 696 wrote to memory of 3640 696 cmd.exe PING.EXE PID 696 wrote to memory of 3640 696 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe"C:\Users\Admin\AppData\Local\Temp\2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ccleaner.exe"C:\ProgramData\ccleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\ccleaner.exe" "ccleaner.exe" ENABLE3⤵
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall delete allowedprogram "C:\ProgramData\ccleaner.exe"3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 0 -n 2 & del "C:\ProgramData\ccleaner.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 0 -n 24⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ccleaner.exeMD5
1e59602b94507836f0fddb82d8c7ac04
SHA11374bfc9639ae6583e79eb3cbd120a890dc3cb6b
SHA2562eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
SHA5128e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
-
C:\ProgramData\ccleaner.exeMD5
1e59602b94507836f0fddb82d8c7ac04
SHA11374bfc9639ae6583e79eb3cbd120a890dc3cb6b
SHA2562eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
SHA5128e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
-
memory/696-122-0x0000000000000000-mapping.dmp
-
memory/748-121-0x0000000000000000-mapping.dmp
-
memory/1592-119-0x0000000000000000-mapping.dmp
-
memory/3024-115-0x0000000000000000-mapping.dmp
-
memory/3024-118-0x0000000002C40000-0x0000000002C42000-memory.dmpFilesize
8KB
-
memory/3024-120-0x0000000002C44000-0x0000000002C45000-memory.dmpFilesize
4KB
-
memory/3640-123-0x0000000000000000-mapping.dmp
-
memory/3728-114-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB