Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 19:11
Behavioral task
behavioral1
Sample
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe
Resource
win7-en
General
-
Target
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe
-
Size
23KB
-
MD5
37799e802b833bad50ef3267e495059c
-
SHA1
6df1d946f3c0f81e0029546f15fa49b34c6af587
-
SHA256
93fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
-
SHA512
95d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
Malware Config
Extracted
njrat
0.7d
Windows
dr-mesho.ddns.net:5552
999006ebf1e2e9a7848a18a5a49cb936
-
reg_key
999006ebf1e2e9a7848a18a5a49cb936
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
codec.exepid process 3144 codec.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
codec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\999006ebf1e2e9a7848a18a5a49cb936 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\codec.exe\" .." codec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\999006ebf1e2e9a7848a18a5a49cb936 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\codec.exe\" .." codec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
codec.exedescription pid process Token: SeDebugPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe Token: 33 3144 codec.exe Token: SeIncBasePriorityPrivilege 3144 codec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.execodec.exedescription pid process target process PID 3980 wrote to memory of 3144 3980 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 3980 wrote to memory of 3144 3980 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 3980 wrote to memory of 3144 3980 93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe codec.exe PID 3144 wrote to memory of 3792 3144 codec.exe netsh.exe PID 3144 wrote to memory of 3792 3144 codec.exe netsh.exe PID 3144 wrote to memory of 3792 3144 codec.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe"C:\Users\Admin\AppData\Local\Temp\93FE344BD0960DFBFCE8FD9C20127D1C75EC414E7A72B.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\codec.exe"C:\Users\Admin\AppData\Local\Temp\codec.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\codec.exe" "codec.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\codec.exeMD5
37799e802b833bad50ef3267e495059c
SHA16df1d946f3c0f81e0029546f15fa49b34c6af587
SHA25693fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
SHA51295d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
-
C:\Users\Admin\AppData\Local\Temp\codec.exeMD5
37799e802b833bad50ef3267e495059c
SHA16df1d946f3c0f81e0029546f15fa49b34c6af587
SHA25693fe344bd0960dfbfce8fd9c20127d1c75ec414e7a72b2e41fac998c7594327b
SHA51295d5bb9968e7631052cc7ded5b7b9117b406ef05f25b85ca24e0e66176d44a201a462c6458d7f579b2f31bcfd8db0f1895b1d972ca589919ff942ad4b9c35bfa
-
memory/3144-116-0x0000000000000000-mapping.dmp
-
memory/3144-119-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/3792-120-0x0000000000000000-mapping.dmp
-
memory/3980-115-0x0000000002C60000-0x0000000002C61000-memory.dmpFilesize
4KB