E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exe

General
Target

E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exe

Filesize

23KB

Completed

23-09-2021 14:55

Score
10 /10
MD5

ff0a76f55ded419451bc43c4ada07442

SHA1

db1649fe991ddd2d24695f4bc87846dd53f6ee70

SHA256

e54869035cad0883d23a9876b2f2a2933c238a3493f98e4e708de09e8775f13b

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet HacKed
C2

loveyou1.zapto.org:9090

Attributes
reg_key
30babc74a83b1275096945fbac125560
splitter
|'|'|
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    GoogleCrash.exe

    Reported IOCs

    pidprocess
    1472GoogleCrash.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    GoogleCrash.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30babc74a83b1275096945fbac125560.exeGoogleCrash.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30babc74a83b1275096945fbac125560.exeGoogleCrash.exe
  • Loads dropped DLL
    E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exe

    Reported IOCs

    pidprocess
    800E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exe
  • Adds Run key to start application
    GoogleCrash.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\30babc74a83b1275096945fbac125560 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleCrash.exe\" .."GoogleCrash.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\30babc74a83b1275096945fbac125560 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleCrash.exe\" .."GoogleCrash.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    GoogleCrash.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
    Token: 331472GoogleCrash.exe
    Token: SeIncBasePriorityPrivilege1472GoogleCrash.exe
  • Suspicious use of WriteProcessMemory
    E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exeGoogleCrash.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 800 wrote to memory of 1472800E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exeGoogleCrash.exe
    PID 800 wrote to memory of 1472800E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exeGoogleCrash.exe
    PID 800 wrote to memory of 1472800E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exeGoogleCrash.exe
    PID 800 wrote to memory of 1472800E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exeGoogleCrash.exe
    PID 1472 wrote to memory of 16521472GoogleCrash.exenetsh.exe
    PID 1472 wrote to memory of 16521472GoogleCrash.exenetsh.exe
    PID 1472 wrote to memory of 16521472GoogleCrash.exenetsh.exe
    PID 1472 wrote to memory of 16521472GoogleCrash.exenetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exe
    "C:\Users\Admin\AppData\Local\Temp\E54869035CAD0883D23A9876B2F2A2933C238A3493F98.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:800
    • C:\Users\Admin\AppData\Local\Temp\GoogleCrash.exe
      "C:\Users\Admin\AppData\Local\Temp\GoogleCrash.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\GoogleCrash.exe" "GoogleCrash.exe" ENABLE
        PID:1652
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\GoogleCrash.exe

                      MD5

                      ff0a76f55ded419451bc43c4ada07442

                      SHA1

                      db1649fe991ddd2d24695f4bc87846dd53f6ee70

                      SHA256

                      e54869035cad0883d23a9876b2f2a2933c238a3493f98e4e708de09e8775f13b

                      SHA512

                      d26bf759a1fc39b5686fc8d281f1395c7743c78b3e7e7be81ddb6faf434efee0f3422a14dea2ec7bb3278b95dc941b676ebca6ec9742d7b52c4a47790411e842

                    • C:\Users\Admin\AppData\Local\Temp\GoogleCrash.exe

                      MD5

                      ff0a76f55ded419451bc43c4ada07442

                      SHA1

                      db1649fe991ddd2d24695f4bc87846dd53f6ee70

                      SHA256

                      e54869035cad0883d23a9876b2f2a2933c238a3493f98e4e708de09e8775f13b

                      SHA512

                      d26bf759a1fc39b5686fc8d281f1395c7743c78b3e7e7be81ddb6faf434efee0f3422a14dea2ec7bb3278b95dc941b676ebca6ec9742d7b52c4a47790411e842

                    • \Users\Admin\AppData\Local\Temp\GoogleCrash.exe

                      MD5

                      ff0a76f55ded419451bc43c4ada07442

                      SHA1

                      db1649fe991ddd2d24695f4bc87846dd53f6ee70

                      SHA256

                      e54869035cad0883d23a9876b2f2a2933c238a3493f98e4e708de09e8775f13b

                      SHA512

                      d26bf759a1fc39b5686fc8d281f1395c7743c78b3e7e7be81ddb6faf434efee0f3422a14dea2ec7bb3278b95dc941b676ebca6ec9742d7b52c4a47790411e842

                    • memory/800-59-0x0000000075051000-0x0000000075053000-memory.dmp

                    • memory/800-60-0x0000000002350000-0x0000000002351000-memory.dmp

                    • memory/1472-62-0x0000000000000000-mapping.dmp

                    • memory/1472-66-0x0000000000230000-0x0000000000231000-memory.dmp

                    • memory/1652-67-0x0000000000000000-mapping.dmp