Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-09-2021 20:51

General

  • Target

    5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe

  • Size

    23KB

  • MD5

    40d8409cbbafe7fc7ee3132f00ad9423

  • SHA1

    849c0f16a80cc4c1acd1dfa875de31e028e2ecfc

  • SHA256

    5881ed83ef800ac9cbc9e74c6a9e403521afed344105ee157d66916e70ff63df

  • SHA512

    90d66e223935efa2ccba3b2bb5b2533bd0f33ea6def1057ff210bfca1f0235698a60949825b8e695d3d5e532aa672a72058e35389761534955c8e55246606684

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

mscode

C2

hotkey.ddns.net:5552

Mutex

2f547573b829f3eb843eb77706c321e3

Attributes
  • reg_key

    2f547573b829f3eb843eb77706c321e3

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe
    "C:\Users\Admin\AppData\Local\Temp\5881ED83EF800AC9CBC9E74C6A9E403521AFED344105E.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Roaming\mscodec.exe
      "C:\Users\Admin\AppData\Roaming\mscodec.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mscodec.exe" "mscodec.exe" ENABLE
        3⤵
          PID:2684

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\mscodec.exe
      MD5

      40d8409cbbafe7fc7ee3132f00ad9423

      SHA1

      849c0f16a80cc4c1acd1dfa875de31e028e2ecfc

      SHA256

      5881ed83ef800ac9cbc9e74c6a9e403521afed344105ee157d66916e70ff63df

      SHA512

      90d66e223935efa2ccba3b2bb5b2533bd0f33ea6def1057ff210bfca1f0235698a60949825b8e695d3d5e532aa672a72058e35389761534955c8e55246606684

    • C:\Users\Admin\AppData\Roaming\mscodec.exe
      MD5

      40d8409cbbafe7fc7ee3132f00ad9423

      SHA1

      849c0f16a80cc4c1acd1dfa875de31e028e2ecfc

      SHA256

      5881ed83ef800ac9cbc9e74c6a9e403521afed344105ee157d66916e70ff63df

      SHA512

      90d66e223935efa2ccba3b2bb5b2533bd0f33ea6def1057ff210bfca1f0235698a60949825b8e695d3d5e532aa672a72058e35389761534955c8e55246606684

    • memory/376-115-0x0000000000000000-mapping.dmp
    • memory/376-118-0x0000000002ED0000-0x0000000002ED1000-memory.dmp
      Filesize

      4KB

    • memory/664-114-0x0000000002B40000-0x0000000002B41000-memory.dmp
      Filesize

      4KB

    • memory/2684-119-0x0000000000000000-mapping.dmp