Analysis
-
max time kernel
95s -
max time network
107s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-09-2021 18:03
Behavioral task
behavioral1
Sample
D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe
Resource
win7v20210408
General
-
Target
D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe
-
Size
93KB
-
MD5
6bce1d7caa5f71ca7d4620296fc9d775
-
SHA1
c4af16a65dbdb2a17fe4c3e4811d953c5d501808
-
SHA256
d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09d
-
SHA512
49a0cf6b7faa0fd314ac9fdf8813733e797c5d2c8182d47947e9af793ae6c926b1a58c7a9e3bacc1b661b72f9804214d848630c27eb26cc24b25d7f99aeb4408
Malware Config
Extracted
njrat
0.7d
HacKed
OC50Y3Aubmdyb2suaW8Strik:MTUxMTQg
e482830431b4f84bd1e9ebb6982c8a62
-
reg_key
e482830431b4f84bd1e9ebb6982c8a62
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3164 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e482830431b4f84bd1e9ebb6982c8a62Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e482830431b4f84bd1e9ebb6982c8a62Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe 3164 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3164 server.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe Token: 33 3164 server.exe Token: SeIncBasePriorityPrivilege 3164 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exeserver.exedescription pid process target process PID 648 wrote to memory of 3164 648 D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe server.exe PID 648 wrote to memory of 3164 648 D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe server.exe PID 648 wrote to memory of 3164 648 D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe server.exe PID 3164 wrote to memory of 4000 3164 server.exe netsh.exe PID 3164 wrote to memory of 4000 3164 server.exe netsh.exe PID 3164 wrote to memory of 4000 3164 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe"C:\Users\Admin\AppData\Local\Temp\D5CF8749638C96E98D4DAAE21DA684B45DA35FC380024.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
6bce1d7caa5f71ca7d4620296fc9d775
SHA1c4af16a65dbdb2a17fe4c3e4811d953c5d501808
SHA256d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09d
SHA51249a0cf6b7faa0fd314ac9fdf8813733e797c5d2c8182d47947e9af793ae6c926b1a58c7a9e3bacc1b661b72f9804214d848630c27eb26cc24b25d7f99aeb4408
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
6bce1d7caa5f71ca7d4620296fc9d775
SHA1c4af16a65dbdb2a17fe4c3e4811d953c5d501808
SHA256d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09d
SHA51249a0cf6b7faa0fd314ac9fdf8813733e797c5d2c8182d47947e9af793ae6c926b1a58c7a9e3bacc1b661b72f9804214d848630c27eb26cc24b25d7f99aeb4408
-
C:\Users\Admin\AppData\Roaming\appMD5
02b81b0cbe1faaa1fa62d5fc876ab443
SHA1d473cfe21fb1f188689415b0bdd239688f8fddd9
SHA256e7e9e2c247bc872bacce77661c78f001a17d70ee3130a9016a5818da9da00cdb
SHA512592ab5b200d4c560951cb70288dc1b7a562f0cbfaee01ce03076b6934d537b88575c2e1e0fedcc05db95e6c224ca739923e7d74f9165e683f3fbad7bbf641784
-
memory/648-114-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB
-
memory/3164-115-0x0000000000000000-mapping.dmp
-
memory/3164-119-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/4000-120-0x0000000000000000-mapping.dmp