Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-09-2021 13:24
Behavioral task
behavioral1
Sample
0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe
Resource
win7-en-20210920
General
-
Target
0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe
-
Size
289KB
-
MD5
347ff437bff7fd078a6aa65c04620b84
-
SHA1
4c5f2b093cc9be24b61c4d83502f409b1e757f20
-
SHA256
0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b
-
SHA512
deb2dd636fa554879e90763a060a5f66b247fbe49bc18c70bbdae8b298916527651113d7123619feaf09f87004507d0a0cf0bb54499149589f3ea9badf75836d
Malware Config
Extracted
njrat
im523
Vlad
2.tcp.ngrok.io:18100
02970e07dff67a33e67ace6d6dbcc09f
-
reg_key
02970e07dff67a33e67ace6d6dbcc09f
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
browser.exepid process 956 browser.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
browser.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02970e07dff67a33e67ace6d6dbcc09f.exe browser.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02970e07dff67a33e67ace6d6dbcc09f.exe browser.exe -
Loads dropped DLL 1 IoCs
Processes:
0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exepid process 1124 0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
browser.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\02970e07dff67a33e67ace6d6dbcc09f = "\"C:\\Users\\Admin\\AppData\\Roaming\\browser.exe\" .." browser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\02970e07dff67a33e67ace6d6dbcc09f = "\"C:\\Users\\Admin\\AppData\\Roaming\\browser.exe\" .." browser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
browser.exepid process 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe 956 browser.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
browser.exepid process 956 browser.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
browser.exedescription pid process Token: SeDebugPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe Token: 33 956 browser.exe Token: SeIncBasePriorityPrivilege 956 browser.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exebrowser.exedescription pid process target process PID 1124 wrote to memory of 956 1124 0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe browser.exe PID 1124 wrote to memory of 956 1124 0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe browser.exe PID 1124 wrote to memory of 956 1124 0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe browser.exe PID 1124 wrote to memory of 956 1124 0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe browser.exe PID 956 wrote to memory of 1524 956 browser.exe netsh.exe PID 956 wrote to memory of 1524 956 browser.exe netsh.exe PID 956 wrote to memory of 1524 956 browser.exe netsh.exe PID 956 wrote to memory of 1524 956 browser.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe"C:\Users\Admin\AppData\Local\Temp\0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\browser.exe"C:\Users\Admin\AppData\Roaming\browser.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\browser.exe" "browser.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\browser.exeMD5
347ff437bff7fd078a6aa65c04620b84
SHA14c5f2b093cc9be24b61c4d83502f409b1e757f20
SHA2560a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b
SHA512deb2dd636fa554879e90763a060a5f66b247fbe49bc18c70bbdae8b298916527651113d7123619feaf09f87004507d0a0cf0bb54499149589f3ea9badf75836d
-
C:\Users\Admin\AppData\Roaming\browser.exeMD5
347ff437bff7fd078a6aa65c04620b84
SHA14c5f2b093cc9be24b61c4d83502f409b1e757f20
SHA2560a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b
SHA512deb2dd636fa554879e90763a060a5f66b247fbe49bc18c70bbdae8b298916527651113d7123619feaf09f87004507d0a0cf0bb54499149589f3ea9badf75836d
-
\Users\Admin\AppData\Roaming\browser.exeMD5
347ff437bff7fd078a6aa65c04620b84
SHA14c5f2b093cc9be24b61c4d83502f409b1e757f20
SHA2560a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b
SHA512deb2dd636fa554879e90763a060a5f66b247fbe49bc18c70bbdae8b298916527651113d7123619feaf09f87004507d0a0cf0bb54499149589f3ea9badf75836d
-
memory/956-57-0x0000000000000000-mapping.dmp
-
memory/956-61-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/1124-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1124-55-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1524-62-0x0000000000000000-mapping.dmp