6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

General
Target

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

Filesize

82KB

Completed

16-09-2021 14:04

Score
10/10
MD5

42f06a2dd04a0b84c019557cc07f0cb6

SHA1

9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256

6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

Malware Config

Extracted

Family njrat
Version 0.7 MultiHost
Botnet 000000
C2

karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177

Attributes
reg_key
670b14728ad9902aecba32e22fa4f6bd
splitter
|'|'|
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    svchost.exesvchost.exe

    Reported IOCs

    pidprocess
    1896svchost.exe
    1956svchost.exe
  • Drops startup file
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exesvchost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exesvchost.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnksvchost.exe
  • Loads dropped DLL
    6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exesvchost.exe

    Reported IOCs

    pidprocess
    16446C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    1896svchost.exe
    1956svchost.exe
  • Adds Run key to start application
    svchost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."svchost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."svchost.exe
  • Suspicious use of SetThreadContext
    6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1092 set thread context of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1896 set thread context of 19561896svchost.exesvchost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    svchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
    Token: 331956svchost.exe
    Token: SeIncBasePriorityPrivilege1956svchost.exe
  • Suspicious use of WriteProcessMemory
    6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1092 wrote to memory of 164410926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1644 wrote to memory of 189616446C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 1644 wrote to memory of 189616446C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 1644 wrote to memory of 189616446C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 1644 wrote to memory of 189616446C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
    PID 1896 wrote to memory of 19561896svchost.exesvchost.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    "C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
      "C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          Executes dropped EXE
          Drops startup file
          Loads dropped DLL
          Adds Run key to start application
          Suspicious use of AdjustPrivilegeToken
          PID:1956
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • \Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • \Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • \Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • memory/1092-53-0x0000000074E61000-0x0000000074E63000-memory.dmp

                    • memory/1092-54-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                    • memory/1644-58-0x0000000000360000-0x0000000000361000-memory.dmp

                    • memory/1644-55-0x0000000000400000-0x000000000040C000-memory.dmp

                    • memory/1644-56-0x0000000000407ACE-mapping.dmp

                    • memory/1896-60-0x0000000000000000-mapping.dmp

                    • memory/1896-69-0x0000000000680000-0x0000000000681000-memory.dmp

                    • memory/1956-66-0x0000000000407ACE-mapping.dmp

                    • memory/1956-70-0x00000000002E0000-0x00000000002E1000-memory.dmp