6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
82KB
16-09-2021 14:04
42f06a2dd04a0b84c019557cc07f0cb6
9f8b00c0cefd6e80ed813ac25b55b57e1289c724
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
Extracted
Family | njrat |
Version | 0.7 MultiHost |
Botnet | 000000 |
C2 |
karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177 |
Attributes |
reg_key 670b14728ad9902aecba32e22fa4f6bd
splitter |'|'| |
Filter: none
-
njRAT/Bladabindi
Description
Widely used RAT written in .NET.
Tags
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Description
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Tags
-
Executes dropped EXEsvchost.exesvchost.exe
Reported IOCs
pid process 1164 svchost.exe 1340 svchost.exe -
Drops startup filesvchost.exe
Reported IOCs
description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk svchost.exe -
Adds Run key to start applicationsvchost.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Suspicious use of SetThreadContext6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
Reported IOCs
description pid process target process PID 664 set thread context of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 1164 set thread context of 1340 1164 svchost.exe svchost.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Suspicious use of AdjustPrivilegeTokensvchost.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe -
Suspicious use of WriteProcessMemory6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
Reported IOCs
description pid process target process PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 664 wrote to memory of 892 664 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe PID 892 wrote to memory of 1164 892 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 892 wrote to memory of 1164 892 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 892 wrote to memory of 1164 892 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe PID 1164 wrote to memory of 1340 1164 svchost.exe svchost.exe
-
C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"Suspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"Executes dropped EXEDrops startup fileAdds Run key to start applicationSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe.log
MD5c748e8ca8696cef7e06115966216593a
SHA1de51083153bc4e802050a6f3f8e2d273ea36e564
SHA256b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d
SHA512d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
MD5c748e8ca8696cef7e06115966216593a
SHA1de51083153bc4e802050a6f3f8e2d273ea36e564
SHA256b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d
SHA512d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD542f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD542f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD542f06a2dd04a0b84c019557cc07f0cb6
SHA19f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA2566c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA51215228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556
-
memory/664-114-0x0000000001210000-0x0000000001211000-memory.dmp
-
memory/892-118-0x00000000023C0000-0x00000000023C1000-memory.dmp
-
memory/892-116-0x0000000000407ACE-mapping.dmp
-
memory/1164-119-0x0000000000000000-mapping.dmp
-
memory/1164-126-0x0000000003301000-0x0000000003302000-memory.dmp
-
memory/1340-123-0x0000000000407ACE-mapping.dmp
-
memory/1340-122-0x0000000000400000-0x000000000040C000-memory.dmp
-
memory/1340-127-0x0000000002E01000-0x0000000002E02000-memory.dmp