cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

General
Target

cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exe

Filesize

1MB

Completed

20-09-2021 08:13

Score
10 /10
MD5

061aad12c2c7c31933d818c4e120908d

SHA1

045ce53c1de8f148343f36c9cf1cf9e4859926d1

SHA256

cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    server.exe

    Reported IOCs

    pidprocess
    3820server.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Adds Run key to start application
    server.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b1e1cfbbafbe20f57acfd12668fd683 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."server.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b1e1cfbbafbe20f57acfd12668fd683 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."server.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    server.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3820server.exe
    Token: 333820server.exe
    Token: SeIncBasePriorityPrivilege3820server.exe
    Token: 333820server.exe
    Token: SeIncBasePriorityPrivilege3820server.exe
    Token: 333820server.exe
    Token: SeIncBasePriorityPrivilege3820server.exe
    Token: 333820server.exe
    Token: SeIncBasePriorityPrivilege3820server.exe
  • Suspicious use of WriteProcessMemory
    cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3204 wrote to memory of 38203204cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe
    PID 3204 wrote to memory of 38203204cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exeserver.exe
    PID 3820 wrote to memory of 37963820server.exenetsh.exe
    PID 3820 wrote to memory of 37963820server.exenetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exe
    "C:\Users\Admin\AppData\Local\Temp\cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d.exe"
    Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\SYSTEM32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        PID:3796
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\server.exe

                      MD5

                      061aad12c2c7c31933d818c4e120908d

                      SHA1

                      045ce53c1de8f148343f36c9cf1cf9e4859926d1

                      SHA256

                      cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

                      SHA512

                      b41b858d65e2685db4f0a37d033c3098665737af53abab6046048fa53e5866f7d622b12b171832adfa9185dd4ffbddfd2874db1ab252c648acb5877ed56cda31

                    • C:\Users\Admin\AppData\Local\Temp\server.exe

                      MD5

                      061aad12c2c7c31933d818c4e120908d

                      SHA1

                      045ce53c1de8f148343f36c9cf1cf9e4859926d1

                      SHA256

                      cc193cf3d64208e86f40627fdecc7a32d4275924ae648740ffa3924ba1239d7d

                      SHA512

                      b41b858d65e2685db4f0a37d033c3098665737af53abab6046048fa53e5866f7d622b12b171832adfa9185dd4ffbddfd2874db1ab252c648acb5877ed56cda31

                    • memory/3204-115-0x0000000000C40000-0x0000000000C41000-memory.dmp

                    • memory/3204-119-0x0000000001290000-0x00000000012B7000-memory.dmp

                    • memory/3204-120-0x000000001B900000-0x000000001B925000-memory.dmp

                    • memory/3204-121-0x000000001BF30000-0x000000001BF31000-memory.dmp

                    • memory/3204-117-0x000000001B9B0000-0x000000001B9B2000-memory.dmp

                    • memory/3204-118-0x0000000001250000-0x0000000001276000-memory.dmp

                    • memory/3796-132-0x0000000000000000-mapping.dmp

                    • memory/3820-122-0x0000000000000000-mapping.dmp

                    • memory/3820-127-0x000000001B5E0000-0x000000001B5E2000-memory.dmp