Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 19:11
Behavioral task
behavioral1
Sample
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe
Resource
win7-en
General
-
Target
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe
-
Size
23KB
-
MD5
37799e802b833bad50ef3267e495059c
-
SHA1
6df1d946f3c0f81e0029546f15fa49b34c6af587
-
SHA256
93fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
-
SHA512
95d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
Malware Config
Extracted
njrat
0.7d
Windows
dr-mesho.ddns.net:5552
999006ebf1e2e9a7848a18a5a49cb936
-
reg_key
999006ebf1e2e9a7848a18a5a49cb936
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
codec.exepid process 1808 codec.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exepid process 1696 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
codec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\999006ebf1e2e9a7848a18a5a49cb936 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\codec.exe\" .." codec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\999006ebf1e2e9a7848a18a5a49cb936 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\codec.exe\" .." codec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
codec.exedescription pid process Token: SeDebugPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe Token: 33 1808 codec.exe Token: SeIncBasePriorityPrivilege 1808 codec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.execodec.exedescription pid process target process PID 1696 wrote to memory of 1808 1696 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 1696 wrote to memory of 1808 1696 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 1696 wrote to memory of 1808 1696 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 1696 wrote to memory of 1808 1696 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 1808 wrote to memory of 888 1808 codec.exe netsh.exe PID 1808 wrote to memory of 888 1808 codec.exe netsh.exe PID 1808 wrote to memory of 888 1808 codec.exe netsh.exe PID 1808 wrote to memory of 888 1808 codec.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe"C:\Users\Admin\AppData\Local\Temp\93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\codec.exe"C:\Users\Admin\AppData\Local\Temp\codec.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\codec.exe" "codec.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\codec.exeMD5
37799e802b833bad50ef3267e495059c
SHA16df1d946f3c0f81e0029546f15fa49b34c6af587
SHA25693fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
SHA51295d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
-
C:\Users\Admin\AppData\Local\Temp\codec.exeMD5
37799e802b833bad50ef3267e495059c
SHA16df1d946f3c0f81e0029546f15fa49b34c6af587
SHA25693fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
SHA51295d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
-
\Users\Admin\AppData\Local\Temp\codec.exeMD5
37799e802b833bad50ef3267e495059c
SHA16df1d946f3c0f81e0029546f15fa49b34c6af587
SHA25693fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
SHA51295d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
-
memory/888-61-0x0000000000000000-mapping.dmp
-
memory/1696-53-0x0000000075641000-0x0000000075643000-memory.dmpFilesize
8KB
-
memory/1696-54-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1808-56-0x0000000000000000-mapping.dmp
-
memory/1808-60-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB