c1865a6ccc50d10ec91518c9861ed005.exe

General
Target

c1865a6ccc50d10ec91518c9861ed005.exe

Filesize

31KB

Completed

23-09-2021 20:49

Score
10 /10
MD5

c1865a6ccc50d10ec91518c9861ed005

SHA1

493bf878ddc94d4a49c5d76243b083cb3d4c6a89

SHA256

5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet MyBot
C2

178.20.44.131:6522

Attributes
reg_key
949d1d181b4442e0ea82dab5035cb1d3
splitter
Y262SUCZ4UJJ
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    WindowsServices.exe

    Reported IOCs

    pidprocess
    1576WindowsServices.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    WindowsServices.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\949d1d181b4442e0ea82dab5035cb1d3.exeWindowsServices.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\949d1d181b4442e0ea82dab5035cb1d3.exeWindowsServices.exe
  • Loads dropped DLL
    c1865a6ccc50d10ec91518c9861ed005.exe

    Reported IOCs

    pidprocess
    1132c1865a6ccc50d10ec91518c9861ed005.exe
  • Adds Run key to start application
    WindowsServices.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\949d1d181b4442e0ea82dab5035cb1d3 = "\"C:\\ProgramData\\WindowsServices.exe\" .."WindowsServices.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\949d1d181b4442e0ea82dab5035cb1d3 = "\"C:\\ProgramData\\WindowsServices.exe\" .."WindowsServices.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    WindowsServices.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
    Token: 331576WindowsServices.exe
    Token: SeIncBasePriorityPrivilege1576WindowsServices.exe
  • Suspicious use of WriteProcessMemory
    c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1132 wrote to memory of 15761132c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 1132 wrote to memory of 15761132c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 1132 wrote to memory of 15761132c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 1132 wrote to memory of 15761132c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 1576 wrote to memory of 17201576WindowsServices.exenetsh.exe
    PID 1576 wrote to memory of 17201576WindowsServices.exenetsh.exe
    PID 1576 wrote to memory of 17201576WindowsServices.exenetsh.exe
    PID 1576 wrote to memory of 17201576WindowsServices.exenetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\c1865a6ccc50d10ec91518c9861ed005.exe
    "C:\Users\Admin\AppData\Local\Temp\c1865a6ccc50d10ec91518c9861ed005.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1132
    • C:\ProgramData\WindowsServices.exe
      "C:\ProgramData\WindowsServices.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\WindowsServices.exe" "WindowsServices.exe" ENABLE
        PID:1720
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\WindowsServices.exe

                      MD5

                      c1865a6ccc50d10ec91518c9861ed005

                      SHA1

                      493bf878ddc94d4a49c5d76243b083cb3d4c6a89

                      SHA256

                      5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

                      SHA512

                      d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a

                    • C:\ProgramData\WindowsServices.exe

                      MD5

                      c1865a6ccc50d10ec91518c9861ed005

                      SHA1

                      493bf878ddc94d4a49c5d76243b083cb3d4c6a89

                      SHA256

                      5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

                      SHA512

                      d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a

                    • \ProgramData\WindowsServices.exe

                      MD5

                      c1865a6ccc50d10ec91518c9861ed005

                      SHA1

                      493bf878ddc94d4a49c5d76243b083cb3d4c6a89

                      SHA256

                      5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

                      SHA512

                      d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a

                    • memory/1132-53-0x0000000075951000-0x0000000075953000-memory.dmp

                    • memory/1132-54-0x0000000000A20000-0x0000000000A21000-memory.dmp

                    • memory/1576-56-0x0000000000000000-mapping.dmp

                    • memory/1576-60-0x0000000002170000-0x0000000002171000-memory.dmp

                    • memory/1576-63-0x0000000002171000-0x0000000002172000-memory.dmp

                    • memory/1720-61-0x0000000000000000-mapping.dmp