6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

General
Target

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe

Filesize

82KB

Completed

16-09-2021 14:04

Score
10/10
MD5

42f06a2dd04a0b84c019557cc07f0cb6

SHA1

9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256

6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

Malware Config

Extracted

Family njrat
Version 0.7 MultiHost
Botnet 000000
C2

karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177

Attributes
reg_key
670b14728ad9902aecba32e22fa4f6bd
splitter
|'|'|
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    svchost.exesvchost.exe

    Reported IOCs

    pidprocess
    1164svchost.exe
    1340svchost.exe
  • Drops startup file
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exesvchost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exesvchost.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnksvchost.exe
  • Adds Run key to start application
    svchost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."svchost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."svchost.exe
  • Suspicious use of SetThreadContext
    6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 664 set thread context of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 1164 set thread context of 13401164svchost.exesvchost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    svchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
    Token: 331340svchost.exe
    Token: SeIncBasePriorityPrivilege1340svchost.exe
  • Suspicious use of WriteProcessMemory
    6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 664 wrote to memory of 8926646C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    PID 892 wrote to memory of 11648926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 892 wrote to memory of 11648926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 892 wrote to memory of 11648926C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
    PID 1164 wrote to memory of 13401164svchost.exesvchost.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
    "C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
      "C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"
      Suspicious use of WriteProcessMemory
      PID:892
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          Executes dropped EXE
          Drops startup file
          Adds Run key to start application
          Suspicious use of AdjustPrivilegeToken
          PID:1340
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe.log

                      MD5

                      c748e8ca8696cef7e06115966216593a

                      SHA1

                      de51083153bc4e802050a6f3f8e2d273ea36e564

                      SHA256

                      b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

                      SHA512

                      d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

                      MD5

                      c748e8ca8696cef7e06115966216593a

                      SHA1

                      de51083153bc4e802050a6f3f8e2d273ea36e564

                      SHA256

                      b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

                      SHA512

                      d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                      MD5

                      42f06a2dd04a0b84c019557cc07f0cb6

                      SHA1

                      9f8b00c0cefd6e80ed813ac25b55b57e1289c724

                      SHA256

                      6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

                      SHA512

                      15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

                    • memory/664-114-0x0000000001210000-0x0000000001211000-memory.dmp

                    • memory/892-118-0x00000000023C0000-0x00000000023C1000-memory.dmp

                    • memory/892-116-0x0000000000407ACE-mapping.dmp

                    • memory/1164-119-0x0000000000000000-mapping.dmp

                    • memory/1164-126-0x0000000003301000-0x0000000003302000-memory.dmp

                    • memory/1340-123-0x0000000000407ACE-mapping.dmp

                    • memory/1340-122-0x0000000000400000-0x000000000040C000-memory.dmp

                    • memory/1340-127-0x0000000002E01000-0x0000000002E02000-memory.dmp