Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-09-2021 17:41
Static task
static1
Behavioral task
behavioral1
Sample
DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
Resource
win10v20210408
General
-
Target
DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
-
Size
91KB
-
MD5
6b5bc3eba86c9efbdf993773af3f593e
-
SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f
-
SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
-
SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
Malware Config
Extracted
njrat
0.7 MultiHost
HacKed
anunankis1.duckdns.org,anunankis3.duckdns.org,karmina112.sytes.net,karmina114.sytes.net,burdun.dynu.net,burdun114.dynu.net:1177
8746d62c81bb0c573a0a1086f9955c7b
-
reg_key
8746d62c81bb0c573a0a1086f9955c7b
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 1092 svchost.exe 1288 svchost.exe 2844 svchost.exe 1208 svchost.exe 1284 svchost.exe 1656 svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8746d62c81bb0c573a0a1086f9955c7b.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8746d62c81bb0c573a0a1086f9955c7b.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exesvchost.exesvchost.exesvchost.exedescription pid process target process PID 740 set thread context of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 1092 set thread context of 1288 1092 svchost.exe svchost.exe PID 2844 set thread context of 1208 2844 svchost.exe svchost.exe PID 1284 set thread context of 1656 1284 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe Token: 33 1288 svchost.exe Token: SeIncBasePriorityPrivilege 1288 svchost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exeDBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exesvchost.exesvchost.exesvchost.exesvchost.exedescription pid process target process PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 740 wrote to memory of 904 740 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe PID 904 wrote to memory of 1092 904 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe svchost.exe PID 904 wrote to memory of 1092 904 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe svchost.exe PID 904 wrote to memory of 1092 904 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1092 wrote to memory of 1288 1092 svchost.exe svchost.exe PID 1288 wrote to memory of 1620 1288 svchost.exe schtasks.exe PID 1288 wrote to memory of 1620 1288 svchost.exe schtasks.exe PID 1288 wrote to memory of 1620 1288 svchost.exe schtasks.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 2844 wrote to memory of 1208 2844 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe PID 1284 wrote to memory of 1656 1284 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe.logMD5
c748e8ca8696cef7e06115966216593a
SHA1de51083153bc4e802050a6f3f8e2d273ea36e564
SHA256b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d
SHA512d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.logMD5
c748e8ca8696cef7e06115966216593a
SHA1de51083153bc4e802050a6f3f8e2d273ea36e564
SHA256b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d
SHA512d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6b5bc3eba86c9efbdf993773af3f593e
SHA10fd0f10d34c28a928e69343caeeed7803646be8f
SHA256dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1
-
memory/740-114-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/904-116-0x0000000000407AEE-mapping.dmp
-
memory/904-118-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/904-115-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1092-126-0x0000000002B01000-0x0000000002B02000-memory.dmpFilesize
4KB
-
memory/1092-119-0x0000000000000000-mapping.dmp
-
memory/1208-131-0x0000000000407AEE-mapping.dmp
-
memory/1208-134-0x0000000003701000-0x0000000003702000-memory.dmpFilesize
4KB
-
memory/1284-139-0x0000000003701000-0x0000000003702000-memory.dmpFilesize
4KB
-
memory/1288-127-0x0000000002D01000-0x0000000002D02000-memory.dmpFilesize
4KB
-
memory/1288-123-0x0000000000407AEE-mapping.dmp
-
memory/1620-128-0x0000000000000000-mapping.dmp
-
memory/1656-137-0x0000000000407AEE-mapping.dmp
-
memory/1656-140-0x0000000003101000-0x0000000003102000-memory.dmpFilesize
4KB
-
memory/2844-133-0x0000000002F01000-0x0000000002F02000-memory.dmpFilesize
4KB