cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

General
Target

cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exe

Filesize

1MB

Completed

20-09-2021 08:14

Score
10 /10
MD5

061aad12c2c7c31933d818c4e120908d

SHA1

045ce53c1de8f148343f36c9cf1cf9e4859926d1

SHA256

cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    server.exe

    Reported IOCs

    pidprocess
    1732server.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Adds Run key to start application
    server.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b1e1cfbbafbe20f57acfd12668fd683 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."server.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b1e1cfbbafbe20f57acfd12668fd683 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."server.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    server.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1732server.exe
    Token: 331732server.exe
    Token: SeIncBasePriorityPrivilege1732server.exe
    Token: 331732server.exe
    Token: SeIncBasePriorityPrivilege1732server.exe
    Token: 331732server.exe
    Token: SeIncBasePriorityPrivilege1732server.exe
    Token: 331732server.exe
    Token: SeIncBasePriorityPrivilege1732server.exe
  • Suspicious use of WriteProcessMemory
    cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1916 wrote to memory of 17321916cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe
    PID 1916 wrote to memory of 17321916cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe
    PID 1916 wrote to memory of 17321916cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe
    PID 1732 wrote to memory of 3161732server.exenetsh.exe
    PID 1732 wrote to memory of 3161732server.exenetsh.exe
    PID 1732 wrote to memory of 3161732server.exenetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exe
    "C:\Users\Admin\AppData\Local\Temp\cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exe"
    Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        PID:316
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\server.exe

                      MD5

                      061aad12c2c7c31933d818c4e120908d

                      SHA1

                      045ce53c1de8f148343f36c9cf1cf9e4859926d1

                      SHA256

                      cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

                      SHA512

                      b41b858d65e2685db4f0a37d033c3098665737af53abab6046048fa53e5866f7d622b12b171832adfa9185dd4ffbddfd2874db1ab252c648acb5877ed56cda31

                    • C:\Users\Admin\AppData\Local\Temp\server.exe

                      MD5

                      061aad12c2c7c31933d818c4e120908d

                      SHA1

                      045ce53c1de8f148343f36c9cf1cf9e4859926d1

                      SHA256

                      cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

                      SHA512

                      b41b858d65e2685db4f0a37d033c3098665737af53abab6046048fa53e5866f7d622b12b171832adfa9185dd4ffbddfd2874db1ab252c648acb5877ed56cda31

                    • memory/316-75-0x0000000000000000-mapping.dmp

                    • memory/316-76-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

                    • memory/1732-66-0x0000000000000000-mapping.dmp

                    • memory/1732-69-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                    • memory/1732-71-0x000000001AB20000-0x000000001AB22000-memory.dmp

                    • memory/1916-60-0x00000000003D0000-0x00000000003D1000-memory.dmp

                    • memory/1916-62-0x000000001B050000-0x000000001B052000-memory.dmp

                    • memory/1916-63-0x0000000000700000-0x0000000000726000-memory.dmp

                    • memory/1916-64-0x0000000000850000-0x0000000000877000-memory.dmp

                    • memory/1916-65-0x000000001A870000-0x000000001A895000-memory.dmp