0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b

General
Target

0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe

Filesize

289KB

Completed

22-09-2021 13:28

Score
10 /10
MD5

347ff437bff7fd078a6aa65c04620b84

SHA1

4c5f2b093cc9be24b61c4d83502f409b1e757f20

SHA256

0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b

Malware Config

Extracted

Family njrat
Version im523
Botnet Vlad
C2

2.tcp.ngrok.io:18100

Attributes
reg_key
02970e07dff67a33e67ace6d6dbcc09f
splitter
|'|'|
Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    browser.exe

    Reported IOCs

    pidprocess
    3276browser.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    browser.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02970e07dff67a33e67ace6d6dbcc09f.exebrowser.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\02970e07dff67a33e67ace6d6dbcc09f.exebrowser.exe
  • Adds Run key to start application
    browser.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\02970e07dff67a33e67ace6d6dbcc09f = "\"C:\\Users\\Admin\\AppData\\Roaming\\browser.exe\" .."browser.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\02970e07dff67a33e67ace6d6dbcc09f = "\"C:\\Users\\Admin\\AppData\\Roaming\\browser.exe\" .."browser.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    browser.exe

    Reported IOCs

    pidprocess
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
    3276browser.exe
  • Suspicious behavior: GetForegroundWindowSpam
    browser.exe

    Reported IOCs

    pidprocess
    3276browser.exe
  • Suspicious use of AdjustPrivilegeToken
    browser.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
    Token: 333276browser.exe
    Token: SeIncBasePriorityPrivilege3276browser.exe
  • Suspicious use of WriteProcessMemory
    0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exebrowser.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3260 wrote to memory of 327632600a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exebrowser.exe
    PID 3260 wrote to memory of 327632600a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exebrowser.exe
    PID 3260 wrote to memory of 327632600a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exebrowser.exe
    PID 3276 wrote to memory of 32923276browser.exenetsh.exe
    PID 3276 wrote to memory of 32923276browser.exenetsh.exe
    PID 3276 wrote to memory of 32923276browser.exenetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b.exe"
    Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Roaming\browser.exe
      "C:\Users\Admin\AppData\Roaming\browser.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\browser.exe" "browser.exe" ENABLE
        PID:3292
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\browser.exe

                      MD5

                      347ff437bff7fd078a6aa65c04620b84

                      SHA1

                      4c5f2b093cc9be24b61c4d83502f409b1e757f20

                      SHA256

                      0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b

                      SHA512

                      deb2dd636fa554879e90763a060a5f66b247fbe49bc18c70bbdae8b298916527651113d7123619feaf09f87004507d0a0cf0bb54499149589f3ea9badf75836d

                    • C:\Users\Admin\AppData\Roaming\browser.exe

                      MD5

                      347ff437bff7fd078a6aa65c04620b84

                      SHA1

                      4c5f2b093cc9be24b61c4d83502f409b1e757f20

                      SHA256

                      0a9eeb784f09d322d2a05a74a75bf4233052a66325b14b166d6273563217f41b

                      SHA512

                      deb2dd636fa554879e90763a060a5f66b247fbe49bc18c70bbdae8b298916527651113d7123619feaf09f87004507d0a0cf0bb54499149589f3ea9badf75836d

                    • memory/3260-114-0x0000000000630000-0x000000000077A000-memory.dmp

                    • memory/3276-115-0x0000000000000000-mapping.dmp

                    • memory/3276-118-0x00000000028B0000-0x00000000028B1000-memory.dmp

                    • memory/3292-119-0x0000000000000000-mapping.dmp