1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f

General
Target

1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe

Filesize

152KB

Completed

24-09-2021 06:16

Score
10 /10
MD5

c2b9c99086b64ed5ef6ae1bd34288013

SHA1

43a4fdff438bb03812aaf9cf273c5021a21623f8

SHA256

1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f

Malware Config

Extracted

Family njrat
Version v2.0
Botnet HacKed
C2

daddygvgv.ddns.net:1177

Attributes
reg_key
Windows
splitter
|-F-|
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    MFhYi.exeMFhYi.exePayload.exe

    Reported IOCs

    pidprocess
    1352MFhYi.exe
    1544MFhYi.exe
    652Payload.exe
  • Drops startup file
    MFhYi.exeMFhYi.exePayload.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMFhYi.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMFhYi.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkPayload.exe
  • Loads dropped DLL
    MFhYi.exe

    Reported IOCs

    pidprocess
    1544MFhYi.exe
  • Adds Run key to start application
    MFhYi.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"MFhYi.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exePayload.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege20321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
    Token: SeDebugPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
    Token: 33652Payload.exe
    Token: SeIncBasePriorityPrivilege652Payload.exe
  • Suspicious use of WriteProcessMemory
    1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2032 wrote to memory of 135220321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 135220321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 135220321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 135220321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 154420321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 154420321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 154420321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2032 wrote to memory of 154420321ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 1544 wrote to memory of 6521544MFhYi.exePayload.exe
    PID 1544 wrote to memory of 6521544MFhYi.exePayload.exe
    PID 1544 wrote to memory of 6521544MFhYi.exePayload.exe
    PID 1544 wrote to memory of 6521544MFhYi.exePayload.exe
    PID 1544 wrote to memory of 8601544MFhYi.exeattrib.exe
    PID 1544 wrote to memory of 8601544MFhYi.exeattrib.exe
    PID 1544 wrote to memory of 8601544MFhYi.exeattrib.exe
    PID 1544 wrote to memory of 8601544MFhYi.exeattrib.exe
  • Views/modifies file attributes
    attrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    860attrib.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
    "C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
      "C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"
      Executes dropped EXE
      Drops startup file
      PID:1352
    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
      "C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"
      Executes dropped EXE
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Roaming\Payload.exe
        "C:\Users\Admin\AppData\Roaming\Payload.exe"
        Executes dropped EXE
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        PID:652
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
        Views/modifies file attributes
        PID:860
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

                      MD5

                      b9622246a2ed61171999ee678f6cc470

                      SHA1

                      947ec795fbe97ce8c9b4622b456353716faceefa

                      SHA256

                      bb8e11992d8f89c50638b95705372a1d5d136784844ccdb98e44ceb79af96056

                      SHA512

                      102f07473a2ee840f197e8279042b7e5f591d85d238d8ed8a11309f9ed3a6b7f54771a9d163b326ac74f7ac7f411d1114f42e938599ce4d11caaf3cd4b881d1e

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

                      MD5

                      f6cb7b462491f3bd6758b9848a25fa09

                      SHA1

                      13875fca8b81fcc40cff20a9337d04d704adbaac

                      SHA256

                      8e1c016974f9f54989bacb9ee970508471d3dec83d0938a41c718bee667077df

                      SHA512

                      3d86c05351743f0ba38e843f4022e2931bede4a273dfd1d257eff420d1329d998f6619209023033d8185743249f0bfd7ff50d0e5cd6bc2b065698aca303727f9

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

                      MD5

                      f6cb7b462491f3bd6758b9848a25fa09

                      SHA1

                      13875fca8b81fcc40cff20a9337d04d704adbaac

                      SHA256

                      8e1c016974f9f54989bacb9ee970508471d3dec83d0938a41c718bee667077df

                      SHA512

                      3d86c05351743f0ba38e843f4022e2931bede4a273dfd1d257eff420d1329d998f6619209023033d8185743249f0bfd7ff50d0e5cd6bc2b065698aca303727f9

                    • C:\Users\Admin\AppData\Roaming\Payload.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Roaming\Payload.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • \Users\Admin\AppData\Roaming\Payload.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • memory/652-67-0x0000000000000000-mapping.dmp

                    • memory/652-74-0x0000000002130000-0x0000000002131000-memory.dmp

                    • memory/860-71-0x0000000000000000-mapping.dmp

                    • memory/1352-63-0x00000000004C0000-0x00000000004C1000-memory.dmp

                    • memory/1352-61-0x00000000759B1000-0x00000000759B3000-memory.dmp

                    • memory/1352-56-0x0000000000000000-mapping.dmp

                    • memory/1544-64-0x0000000000A20000-0x0000000000A21000-memory.dmp

                    • memory/1544-58-0x0000000000000000-mapping.dmp

                    • memory/2032-54-0x000000013F940000-0x000000013F941000-memory.dmp