Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210916 -
submitted
19-09-2021 22:31
Behavioral task
behavioral1
Sample
Payload.bin.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
Payload.bin.exe
Resource
win10v20210408
General
-
Target
Payload.bin.exe
-
Size
27KB
-
MD5
c33318247f0f443ed1a25af2f9b76cf0
-
SHA1
30388f9d86200fec836bd2995f87a66c06cf3d9e
-
SHA256
c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
-
SHA512
6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
Malware Config
Extracted
njrat
v2.0
HacKed
efficient-oil.auto.playit.gg:55457
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 560 Payload.exe -
Drops startup file 2 IoCs
Processes:
Payload.bin.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Loads dropped DLL 1 IoCs
Processes:
Payload.bin.exepid process 1380 Payload.bin.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Payload.bin.exePayload.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" Payload.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe Token: 33 560 Payload.exe Token: SeIncBasePriorityPrivilege 560 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payload.bin.exedescription pid process target process PID 1380 wrote to memory of 560 1380 Payload.bin.exe Payload.exe PID 1380 wrote to memory of 560 1380 Payload.bin.exe Payload.exe PID 1380 wrote to memory of 560 1380 Payload.bin.exe Payload.exe PID 1380 wrote to memory of 560 1380 Payload.bin.exe Payload.exe PID 1380 wrote to memory of 596 1380 Payload.bin.exe attrib.exe PID 1380 wrote to memory of 596 1380 Payload.bin.exe attrib.exe PID 1380 wrote to memory of 596 1380 Payload.bin.exe attrib.exe PID 1380 wrote to memory of 596 1380 Payload.bin.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe"C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
c33318247f0f443ed1a25af2f9b76cf0
SHA130388f9d86200fec836bd2995f87a66c06cf3d9e
SHA256c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
SHA5126e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
c33318247f0f443ed1a25af2f9b76cf0
SHA130388f9d86200fec836bd2995f87a66c06cf3d9e
SHA256c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
SHA5126e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
9a8885b9a79d716f538335c30cd86b24
SHA15fd779d856102b05185fb9c96aa17af04e764a81
SHA256eb43addc6182010e1e01e61009e181a8af6bd70fbca9f01a82165dc486c56eb9
SHA51228537a6cc0280d70c3eb298d05afadb67cd45710f2696fd42258dfb78fe8034bb2351e8fc1b79a9ee57f5b3306450bea03abacdb23b703d989b4b455dc1dd0e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
68a7afc4f90089cbcf6fa62b167041dc
SHA171012753f0a901d1b248ce87b8330017844b6b50
SHA256b05da9dae25c4df3f5f10eb23d81f942378a0dd51ce83426067e7f9f8d4a08e4
SHA512b5ca8871b2a4908b4d0340735a1347cb968d058992b2ca433618645172b5b8844e20a612697c512b66f4f27d9ef8686f8927b6c114f720cc09c371b1b6d772e6
-
\Users\Admin\AppData\Local\Temp\Payload.exeMD5
c33318247f0f443ed1a25af2f9b76cf0
SHA130388f9d86200fec836bd2995f87a66c06cf3d9e
SHA256c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
SHA5126e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
-
memory/560-56-0x0000000000000000-mapping.dmp
-
memory/560-62-0x0000000001FB0000-0x0000000001FB1000-memory.dmpFilesize
4KB
-
memory/596-58-0x0000000000000000-mapping.dmp
-
memory/1380-53-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1380-54-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB