Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-09-2021 06:12

General

  • Target

    1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe

  • Size

    152KB

  • MD5

    c2b9c99086b64ed5ef6ae1bd34288013

  • SHA1

    43a4fdff438bb03812aaf9cf273c5021a21623f8

  • SHA256

    1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f

  • SHA512

    7e2595d992653ba5b332514379ab2ea8aca86eefbe6c89f3970a3ea5c36f1922d88dda3341f269a5754fd4b87e0a3ed9eca1a79b6ee16c8482741401d0087391

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

daddygvgv.ddns.net:1177

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 3 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe
    "C:\Users\Admin\AppData\Local\Temp\1ca2fa1eacf168c97e2663f7bbbe64afe6569ade725ed84f4ee1fe91aa27e83f.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
      "C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Roaming\Payload.exe
        "C:\Users\Admin\AppData\Roaming\Payload.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Suspicious use of AdjustPrivilegeToken
        PID:1284
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
        3⤵
        • Views/modifies file attributes
        PID:1476
    • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
      "C:\Users\Admin\AppData\Local\Temp\MFhYi.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MFhYi.exe.log
    MD5

    6b5a2c06d34c86bcc8aacc3a739fd362

    SHA1

    54fc90eaa12ba9251414e8dac83fdae08819ee42

    SHA256

    1492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68

    SHA512

    228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba

  • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
    MD5

    8e54875e72bebf23615137805c3d1145

    SHA1

    28eb5693c2964c991f2df6bf408c9a394b1db8db

    SHA256

    13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

    SHA512

    2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

  • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
    MD5

    8e54875e72bebf23615137805c3d1145

    SHA1

    28eb5693c2964c991f2df6bf408c9a394b1db8db

    SHA256

    13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

    SHA512

    2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

  • C:\Users\Admin\AppData\Local\Temp\MFhYi.exe
    MD5

    8e54875e72bebf23615137805c3d1145

    SHA1

    28eb5693c2964c991f2df6bf408c9a394b1db8db

    SHA256

    13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

    SHA512

    2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    MD5

    46562a709e5ec2dab9696cb27bd33b74

    SHA1

    aabc178c30e55066ce607209890032a61c0ea6f8

    SHA256

    fa1e5acb0728a372781bad0a82d0951ff90e12d4bbdcd2ddb42c444388b64d21

    SHA512

    309d3974ae4a84e763cff4000f7c52b84172ebfca7b1e7ce4eb077c54264a4cd3462d4e1d33a595b25bb64a10697f43dc56230caf30836b840a773e1490b69a3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    MD5

    b4fdc94f9046fd37a2e3eb86a3a90b2e

    SHA1

    c66dcf4da9990d7c5e05e746014959b2d6cafdbf

    SHA256

    7932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37

    SHA512

    64d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    MD5

    b4fdc94f9046fd37a2e3eb86a3a90b2e

    SHA1

    c66dcf4da9990d7c5e05e746014959b2d6cafdbf

    SHA256

    7932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37

    SHA512

    64d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef

  • C:\Users\Admin\AppData\Roaming\Payload.exe
    MD5

    8e54875e72bebf23615137805c3d1145

    SHA1

    28eb5693c2964c991f2df6bf408c9a394b1db8db

    SHA256

    13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

    SHA512

    2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

  • C:\Users\Admin\AppData\Roaming\Payload.exe
    MD5

    8e54875e72bebf23615137805c3d1145

    SHA1

    28eb5693c2964c991f2df6bf408c9a394b1db8db

    SHA256

    13070a0ead17f9ace63f7f78f754f8700dc186d3d744463876fb5d5dd4ceea9e

    SHA512

    2387c3150ca8f7473cc0e2d552d0e4b39ac396b363bbd3160284fc434b9d68d4df90afc291900c4f3c685bbccd0e6192fead07d90b0610e8dd028a56719926df

  • memory/1284-125-0x0000000000000000-mapping.dmp
  • memory/1284-132-0x0000000002A90000-0x0000000002A91000-memory.dmp
    Filesize

    4KB

  • memory/1476-130-0x0000000000000000-mapping.dmp
  • memory/2188-115-0x0000000000070000-0x0000000000071000-memory.dmp
    Filesize

    4KB

  • memory/2528-122-0x0000000003130000-0x0000000003131000-memory.dmp
    Filesize

    4KB

  • memory/2528-117-0x0000000000000000-mapping.dmp
  • memory/2616-119-0x0000000000000000-mapping.dmp
  • memory/2616-123-0x0000000002EF0000-0x0000000002EF1000-memory.dmp
    Filesize

    4KB