c1865a6ccc50d10ec91518c9861ed005.exe

General
Target

c1865a6ccc50d10ec91518c9861ed005.exe

Filesize

31KB

Completed

23-09-2021 20:49

Score
10 /10
MD5

c1865a6ccc50d10ec91518c9861ed005

SHA1

493bf878ddc94d4a49c5d76243b083cb3d4c6a89

SHA256

5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet MyBot
C2

178.20.44.131:6522

Attributes
reg_key
949d1d181b4442e0ea82dab5035cb1d3
splitter
Y262SUCZ4UJJ
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    WindowsServices.exe

    Reported IOCs

    pidprocess
    4076WindowsServices.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    WindowsServices.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\949d1d181b4442e0ea82dab5035cb1d3.exeWindowsServices.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\949d1d181b4442e0ea82dab5035cb1d3.exeWindowsServices.exe
  • Adds Run key to start application
    WindowsServices.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\949d1d181b4442e0ea82dab5035cb1d3 = "\"C:\\ProgramData\\WindowsServices.exe\" .."WindowsServices.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\949d1d181b4442e0ea82dab5035cb1d3 = "\"C:\\ProgramData\\WindowsServices.exe\" .."WindowsServices.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    dw20.exe

    Reported IOCs

    pidprocess
    432dw20.exe
    432dw20.exe
  • Suspicious use of AdjustPrivilegeToken
    WindowsServices.exedw20.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: SeRestorePrivilege432dw20.exe
    Token: SeBackupPrivilege432dw20.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
    Token: 334076WindowsServices.exe
    Token: SeIncBasePriorityPrivilege4076WindowsServices.exe
  • Suspicious use of WriteProcessMemory
    c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1832 wrote to memory of 40761832c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 1832 wrote to memory of 40761832c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 1832 wrote to memory of 40761832c1865a6ccc50d10ec91518c9861ed005.exeWindowsServices.exe
    PID 4076 wrote to memory of 34364076WindowsServices.exenetsh.exe
    PID 4076 wrote to memory of 34364076WindowsServices.exenetsh.exe
    PID 4076 wrote to memory of 34364076WindowsServices.exenetsh.exe
    PID 4076 wrote to memory of 4324076WindowsServices.exedw20.exe
    PID 4076 wrote to memory of 4324076WindowsServices.exedw20.exe
    PID 4076 wrote to memory of 4324076WindowsServices.exedw20.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\c1865a6ccc50d10ec91518c9861ed005.exe
    "C:\Users\Admin\AppData\Local\Temp\c1865a6ccc50d10ec91518c9861ed005.exe"
    Suspicious use of WriteProcessMemory
    PID:1832
    • C:\ProgramData\WindowsServices.exe
      "C:\ProgramData\WindowsServices.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\WindowsServices.exe" "WindowsServices.exe" ENABLE
        PID:3436
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 2308
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:432
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\WindowsServices.exe

                      MD5

                      c1865a6ccc50d10ec91518c9861ed005

                      SHA1

                      493bf878ddc94d4a49c5d76243b083cb3d4c6a89

                      SHA256

                      5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

                      SHA512

                      d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a

                    • C:\ProgramData\WindowsServices.exe

                      MD5

                      c1865a6ccc50d10ec91518c9861ed005

                      SHA1

                      493bf878ddc94d4a49c5d76243b083cb3d4c6a89

                      SHA256

                      5d4fc7275426bb63b90c5d97654e11011a513ebc66ee3af603d383e5175af38c

                      SHA512

                      d76af3962d5c9449e17d4663d285929afb4d9ca2da76684959d68802d53b27401992f9a26e849faa1300062d7950129608d95824d2441dc79de872399a2e137a

                    • memory/432-120-0x0000000000000000-mapping.dmp

                    • memory/1832-114-0x00000000030D0000-0x00000000030D1000-memory.dmp

                    • memory/3436-119-0x0000000000000000-mapping.dmp

                    • memory/4076-115-0x0000000000000000-mapping.dmp

                    • memory/4076-118-0x00000000025B0000-0x00000000025B1000-memory.dmp