6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

max time kernel151s
max time network150s
platformwindows10_x64
resourcewin10v20210408
submitted16-09-2021 14:02

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

82KB

Completed

16-09-2021 14:04

Score

10^/10

MD5

42f06a2dd04a0b84c019557cc07f0cb6

SHA1

9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256

6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

Extracted

Family	njrat
Version	0.7 MultiHost
Botnet	000000
C2	karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177 karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177
Attributes	reg_key 670b14728ad9902aecba32e22fa4f6bd splitter \|'\|'\|

Defense Evasion

Discovery

Persistence

njRAT/Bladabindi

Description

Widely used RAT written in .NET.

Tags

trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Description

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Tags

suricata
Executes dropped EXE
svchost.exesvchost.exe

Reported IOCs

pid process

1164 svchost.exe
1340 svchost.exe

pid	process
1164	svchost.exe
1340	svchost.exe

Drops startup file

svchost.exe

Reported IOCs

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	svchost.exe

Adds Run key to start application

svchost.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Suspicious use of SetThreadContext

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

Reported IOCs

description	pid	process	target process
PID 664 set thread context of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1164 set thread context of 1340	1164	svchost.exe	svchost.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

svchost.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe
Token: 33	1340	svchost.exe
Token: SeIncBasePriorityPrivilege	1340	svchost.exe

Suspicious use of WriteProcessMemory

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

Reported IOCs

description	pid	process	target process
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 664 wrote to memory of 892	664	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 892 wrote to memory of 1164	892	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 892 wrote to memory of 1164	892	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 892 wrote to memory of 1164	892	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe
PID 1164 wrote to memory of 1340	1164	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:664

C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"

Suspicious use of WriteProcessMemory

PID:892

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:1164

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Executes dropped EXE
Drops startup file
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:1340

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
memory/664-114-0x0000000001210000-0x0000000001211000-memory.dmp

Download
memory/892-118-0x00000000023C0000-0x00000000023C1000-memory.dmp

Download
memory/892-116-0x0000000000407ACE-mapping.dmp

Download
memory/1164-119-0x0000000000000000-mapping.dmp

Download
memory/1164-126-0x0000000003301000-0x0000000003302000-memory.dmp

Download
memory/1340-123-0x0000000000407ACE-mapping.dmp

Download
memory/1340-122-0x0000000000400000-0x000000000040C000-memory.dmp

Download
memory/1340-127-0x0000000002E01000-0x0000000002E02000-memory.dmp

Download

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

Extracted

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title