05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a

General
Target

05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe

Filesize

863KB

Completed

21-09-2021 09:10

Score
10 /10
MD5

f5df22a0a21deb1bae571555826e9076

SHA1

f5621b1ee4d1466c06a2a137d46015107aa2855a

SHA256

05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet HacKed
C2

10.10.10.10:5552

Attributes
reg_key
0dc24807523d3cd24b54cd0996e4c49b
splitter
|'|'|
Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
Privilege Escalation
  • UAC bypass

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    2462.exeserver.exe

    Reported IOCs

    pidprocess
    14162462.exe
    304server.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Loads dropped DLL
    05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exe

    Reported IOCs

    pidprocess
    113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
    113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
    113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
    14162462.exe
  • Adds Run key to start application
    server.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."server.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."server.exe
  • Checks whether UAC is enabled
    05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    server.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
    Token: 33304server.exe
    Token: SeIncBasePriorityPrivilege304server.exe
  • Suspicious use of WriteProcessMemory
    05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exeserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1132 wrote to memory of 1416113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exe
    PID 1132 wrote to memory of 1416113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exe
    PID 1132 wrote to memory of 1416113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exe
    PID 1132 wrote to memory of 1416113205df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe2462.exe
    PID 1416 wrote to memory of 30414162462.exeserver.exe
    PID 1416 wrote to memory of 30414162462.exeserver.exe
    PID 1416 wrote to memory of 30414162462.exeserver.exe
    PID 1416 wrote to memory of 30414162462.exeserver.exe
    PID 304 wrote to memory of 552304server.exenetsh.exe
    PID 304 wrote to memory of 552304server.exenetsh.exe
    PID 304 wrote to memory of 552304server.exenetsh.exe
    PID 304 wrote to memory of 552304server.exenetsh.exe
  • System policy modification
    05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe
    "C:\Users\Admin\AppData\Local\Temp\05df8d39bcf7d65dbedad8a9c01f2b225058a3933373cfee185831791f21de9a.exe"
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\2462\2462.exe
      "C:\Users\Admin\AppData\Local\Temp\2462\2462.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:304
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          PID:552
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\2462\2462.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • C:\Users\Admin\AppData\Local\Temp\2462\2462.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • C:\Users\Admin\AppData\Local\Temp\server.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • C:\Users\Admin\AppData\Local\Temp\server.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • \Users\Admin\AppData\Local\Temp\2462\2462.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • \Users\Admin\AppData\Local\Temp\2462\2462.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • \Users\Admin\AppData\Local\Temp\2462\2462.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • \Users\Admin\AppData\Local\Temp\server.exe

                    MD5

                    22075825a0c6b41333bfb33cc92a6bb1

                    SHA1

                    885b89442e1a9c351e55387274bcda2239250283

                    SHA256

                    e8eb5754f51a3d09d0e6e7dc8ab6ac49ddaabb8da0edbe91ce08b332fae0cd7f

                    SHA512

                    8d6d521005d387bb8142a7db6d5e24ac05ab95af0a67eb7d79095dc08dc0a698b70689634a4fa3b1552e160428e0f51d430c577eaceb8b5d8a1507632d4735a6

                  • memory/304-63-0x0000000000000000-mapping.dmp

                  • memory/304-67-0x00000000008F0000-0x00000000008F1000-memory.dmp

                  • memory/552-68-0x0000000000000000-mapping.dmp

                  • memory/1132-53-0x0000000075951000-0x0000000075953000-memory.dmp

                  • memory/1416-57-0x0000000000000000-mapping.dmp

                  • memory/1416-61-0x0000000000170000-0x0000000000171000-memory.dmp