Analysis

  • max time kernel
    95s
  • max time network
    107s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16-09-2021 18:03

General

  • Target

    D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe

  • Size

    93KB

  • MD5

    6bce1d7caa5f71ca7d4620296fc9d775

  • SHA1

    c4af16a65dbdb2a17fe4c3e4811d953c5d501808

  • SHA256

    d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09d

  • SHA512

    49a0cf6b7faa0fd314ac9fdf8813733e797c5d2c8182d47947e9af793ae6c926b1a58c7a9e3bacc1b661b72f9804214d848630c27eb26cc24b25d7f99aeb4408

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

OC50Y3Aubmdyb2suaW8Strik:MTUxMTQg

Mutex

e482830431b4f84bd1e9ebb6982c8a62

Attributes
  • reg_key

    e482830431b4f84bd1e9ebb6982c8a62

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe
    "C:\Users\Admin\AppData\Local\Temp\D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
          PID:4000

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      MD5

      6bce1d7caa5f71ca7d4620296fc9d775

      SHA1

      c4af16a65dbdb2a17fe4c3e4811d953c5d501808

      SHA256

      d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09d

      SHA512

      49a0cf6b7faa0fd314ac9fdf8813733e797c5d2c8182d47947e9af793ae6c926b1a58c7a9e3bacc1b661b72f9804214d848630c27eb26cc24b25d7f99aeb4408

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      MD5

      6bce1d7caa5f71ca7d4620296fc9d775

      SHA1

      c4af16a65dbdb2a17fe4c3e4811d953c5d501808

      SHA256

      d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09d

      SHA512

      49a0cf6b7faa0fd314ac9fdf8813733e797c5d2c8182d47947e9af793ae6c926b1a58c7a9e3bacc1b661b72f9804214d848630c27eb26cc24b25d7f99aeb4408

    • C:\Users\Admin\AppData\Roaming\app
      MD5

      02b81b0cbe1faaa1fa62d5fc876ab443

      SHA1

      d473cfe21fb1f188689415b0bdd239688f8fddd9

      SHA256

      e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb

      SHA512

      592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784

    • memory/648-114-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
      Filesize

      4KB

    • memory/3164-115-0x0000000000000000-mapping.dmp
    • memory/3164-119-0x0000000002980000-0x0000000002981000-memory.dmp
      Filesize

      4KB

    • memory/4000-120-0x0000000000000000-mapping.dmp