1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f

General
Target

1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe

Filesize

152KB

Completed

24-09-2021 06:16

Score
10 /10
MD5

c2b9c99086b64ed5ef6ae1bd34288013

SHA1

43a4fdff438bb03812aaf9cf273c5021a21623f8

SHA256

1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f

Malware Config

Extracted

Family njrat
Version v2.0
Botnet HacKed
C2

daddygvgv.ddns.net:1177

Attributes
reg_key
Windows
splitter
|-F-|
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    MFhYi.exeMFhYi.exePayload.exe

    Reported IOCs

    pidprocess
    2528MFhYi.exe
    2616MFhYi.exe
    1284Payload.exe
  • Drops startup file
    MFhYi.exeMFhYi.exePayload.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMFhYi.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMFhYi.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkPayload.exe
  • Adds Run key to start application
    MFhYi.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"MFhYi.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exePayload.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege21881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
    Token: SeDebugPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
    Token: 331284Payload.exe
    Token: SeIncBasePriorityPrivilege1284Payload.exe
  • Suspicious use of WriteProcessMemory
    1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2188 wrote to memory of 252821881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2188 wrote to memory of 252821881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2188 wrote to memory of 252821881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2188 wrote to memory of 261621881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2188 wrote to memory of 261621881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2188 wrote to memory of 261621881ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exeMFhYi.exe
    PID 2528 wrote to memory of 12842528MFhYi.exePayload.exe
    PID 2528 wrote to memory of 12842528MFhYi.exePayload.exe
    PID 2528 wrote to memory of 12842528MFhYi.exePayload.exe
    PID 2528 wrote to memory of 14762528MFhYi.exeattrib.exe
    PID 2528 wrote to memory of 14762528MFhYi.exeattrib.exe
    PID 2528 wrote to memory of 14762528MFhYi.exeattrib.exe
  • Views/modifies file attributes
    attrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1476attrib.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
    "C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
      "C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Roaming\Payload.exe
        "C:\Users\Admin\AppData\Roaming\Payload.exe"
        Executes dropped EXE
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        PID:1284
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
        Views/modifies file attributes
        PID:1476
    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
      "C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"
      Executes dropped EXE
      Drops startup file
      PID:2616
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MFhYi.exe.log

                      MD5

                      6b5a2c06d34c86bcc8aacc3a739fd362

                      SHA1

                      54fc90eaa12ba9251414e8dac83fdae08819ee42

                      SHA256

                      1492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68

                      SHA512

                      228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba

                    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

                      MD5

                      46562a709e5ec2dab9696cb27bd33b74

                      SHA1

                      aabc178c30e55066ce607209890032a61c0ea6f8

                      SHA256

                      fa1e5acb0728a372781bad0a82d0951ff90e12d4bbdcd2ddb42c444388b64d21

                      SHA512

                      309d3974ae4a84e763cff4000f7c52b84172ebfca7b1e7ce4eb077c54264a4cd3462d4e1d33a595b25bb64a10697f43dc56230caf30836b840a773e1490b69a3

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

                      MD5

                      b4fdc94f9046fd37a2e3eb86a3a90b2e

                      SHA1

                      c66dcf4da9990d7c5e05e746014959b2d6cafdbf

                      SHA256

                      7932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37

                      SHA512

                      64d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

                      MD5

                      b4fdc94f9046fd37a2e3eb86a3a90b2e

                      SHA1

                      c66dcf4da9990d7c5e05e746014959b2d6cafdbf

                      SHA256

                      7932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37

                      SHA512

                      64d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef

                    • C:\Users\Admin\AppData\Roaming\Payload.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • C:\Users\Admin\AppData\Roaming\Payload.exe

                      MD5

                      8e54875e72bebf23615137805c3d1145

                      SHA1

                      28eb5693c2964c991f2df6bf408c9a394b1db8db

                      SHA256

                      13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

                      SHA512

                      2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

                    • memory/1284-125-0x0000000000000000-mapping.dmp

                    • memory/1284-132-0x0000000002A90000-0x0000000002A91000-memory.dmp

                    • memory/1476-130-0x0000000000000000-mapping.dmp

                    • memory/2188-115-0x0000000000070000-0x0000000000071000-memory.dmp

                    • memory/2528-122-0x0000000003130000-0x0000000003131000-memory.dmp

                    • memory/2528-117-0x0000000000000000-mapping.dmp

                    • memory/2616-123-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

                    • memory/2616-119-0x0000000000000000-mapping.dmp