Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-09-2021 22:31
Behavioral task
behavioral1
Sample
Payload.bin.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
Payload.bin.exe
Resource
win10v20210408
General
-
Target
Payload.bin.exe
-
Size
27KB
-
MD5
c33318247f0f443ed1a25af2f9b76cf0
-
SHA1
30388f9d86200fec836bd2995f87a66c06cf3d9e
-
SHA256
c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
-
SHA512
6e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
Malware Config
Extracted
njrat
v2.0
HacKed
efficient-oil.auto.playit.gg:55457
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Payload.exepid process 488 Payload.exe -
Drops startup file 2 IoCs
Processes:
Payload.bin.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Payload.exePayload.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" Payload.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe Token: 33 488 Payload.exe Token: SeIncBasePriorityPrivilege 488 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Payload.bin.exedescription pid process target process PID 664 wrote to memory of 488 664 Payload.bin.exe Payload.exe PID 664 wrote to memory of 488 664 Payload.bin.exe Payload.exe PID 664 wrote to memory of 488 664 Payload.bin.exe Payload.exe PID 664 wrote to memory of 1104 664 Payload.bin.exe attrib.exe PID 664 wrote to memory of 1104 664 Payload.bin.exe attrib.exe PID 664 wrote to memory of 1104 664 Payload.bin.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe"C:\Users\Admin\AppData\Local\Temp\Payload.bin.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
c33318247f0f443ed1a25af2f9b76cf0
SHA130388f9d86200fec836bd2995f87a66c06cf3d9e
SHA256c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
SHA5126e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
-
C:\Users\Admin\AppData\Local\Temp\Payload.exeMD5
c33318247f0f443ed1a25af2f9b76cf0
SHA130388f9d86200fec836bd2995f87a66c06cf3d9e
SHA256c20aa2c35db0a9c2f811241e8ed3e959c5f297c41f11f9ea4d59def9c3219a81
SHA5126e5562964b36083bf5f5496262fb39b16a78c903e2729f2c982d5906482c33cc5725d14e00998de489f66b69e73c21af15fbc125297ca37cead472e8138b4557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
ccc1eae983999b18b05cdc4a9d39d334
SHA17f42d03d9a6bc8cdcc25464c97d5e37097772493
SHA256f97ea25cffdfd921e7c81d80fcad6baa7918b643c24d010acfc65601db93e01a
SHA512b2bc86a732c148d38d8c721b469a2159f653c7fd534ab4e3b5fc515c393a8651742e17a872daad6b0c61f8e7cc509fb0881567ac165ba7bdc98697260f879a58
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
6e8424fdecfc98f2137488d080139a68
SHA1727de20ac4b5717f0cc33b74499baa8949c5ef9a
SHA256367ca209d93eb5a11e07266f051c2b8bcd3d1c6d347253952cc0e832d855a51b
SHA512f6eec81cabf8b458c16c9df9a2d48dd8d48dce81c857e1806a8d55229058c7d74df6d50f34087a9d1734237ee1a98b14f8bcf0a731cd801fb1ad196dcd7001c7
-
memory/488-115-0x0000000000000000-mapping.dmp
-
memory/488-121-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/664-114-0x0000000002C10000-0x0000000002C11000-memory.dmpFilesize
4KB
-
memory/1104-118-0x0000000000000000-mapping.dmp