303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

General
Target

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

Filesize

342KB

Completed

26-09-2021 13:06

Score
10 /10
MD5

ab09790ec8dbb4c257d8a7c0f3a49943

SHA1

1b45a0349f77c7e07b725d32a5a32e80c00eef24

SHA256

303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet BAYRAMM
C2

cihan05.duckdns.org:1981

Attributes
reg_key
47da9b71ec9839dd4ca48977f70dcfda
splitter
|'|'|
Signatures 13

Filter: none

Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    tmp.exechorme.exe

    Reported IOCs

    pidprocess
    764tmp.exe
    1756chorme.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
  • Loads dropped DLL
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    pidprocess
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
  • Suspicious use of SetThreadContext
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1544 set thread context of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    1308timeout.exe
  • NTFS ADS
    cmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifiercmd.exe
  • Suspicious behavior: EnumeratesProcesses
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    pidprocess
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
  • Suspicious use of AdjustPrivilegeToken
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    Token: SeDebugPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
    Token: 33764tmp.exe
    Token: SeIncBasePriorityPrivilege764tmp.exe
  • Suspicious use of WriteProcessMemory
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1544 wrote to memory of 9721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 1544 wrote to memory of 9721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 1544 wrote to memory of 9721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 1544 wrote to memory of 9721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 972 wrote to memory of 1836972cmd.exereg.exe
    PID 972 wrote to memory of 1836972cmd.exereg.exe
    PID 972 wrote to memory of 1836972cmd.exereg.exe
    PID 972 wrote to memory of 1836972cmd.exereg.exe
    PID 1544 wrote to memory of 7641544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 1544 wrote to memory of 7641544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 1544 wrote to memory of 7641544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 1544 wrote to memory of 7641544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 17561544303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 1544 wrote to memory of 6721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 1544 wrote to memory of 6721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 1544 wrote to memory of 6721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 1544 wrote to memory of 6721544303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 672 wrote to memory of 1308672cmd.exetimeout.exe
    PID 672 wrote to memory of 1308672cmd.exetimeout.exe
    PID 672 wrote to memory of 1308672cmd.exetimeout.exe
    PID 672 wrote to memory of 1308672cmd.exetimeout.exe
    PID 764 wrote to memory of 1436764tmp.exenetsh.exe
    PID 764 wrote to memory of 1436764tmp.exenetsh.exe
    PID 764 wrote to memory of 1436764tmp.exenetsh.exe
    PID 764 wrote to memory of 1436764tmp.exenetsh.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    "C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"
    Drops startup file
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f
        PID:1836
    • C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE
        PID:1436
    • C:\Users\Admin\AppData\Local\Temp\chorme.exe
      "C:\Users\Admin\AppData\Local\Temp\chorme.exe"
      Executes dropped EXE
      PID:1756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat
      Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        Delays execution with timeout.exe
        PID:1308
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\chorme.exe

                        MD5

                        2e5f1cf69f92392f8829fc9c9263ae9b

                        SHA1

                        97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

                        SHA256

                        51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

                        SHA512

                        f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

                      • C:\Users\Admin\AppData\Local\Temp\chorme.exe

                        MD5

                        2e5f1cf69f92392f8829fc9c9263ae9b

                        SHA1

                        97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

                        SHA256

                        51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

                        SHA512

                        f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

                      • C:\Users\Admin\AppData\Roaming\chorme\chorme.exe

                        MD5

                        ab09790ec8dbb4c257d8a7c0f3a49943

                        SHA1

                        1b45a0349f77c7e07b725d32a5a32e80c00eef24

                        SHA256

                        303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

                        SHA512

                        b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3

                      • C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat

                        MD5

                        07ce0d8ff0a8ea3093a6ed6b32e06201

                        SHA1

                        8d4469b75a39cb88db7e98afab6cfdc7248a2b1f

                        SHA256

                        e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926

                        SHA512

                        23db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60

                      • C:\Users\Admin\AppData\Roaming\tmp.exe

                        MD5

                        7809d89aebc16107af640aecfda94430

                        SHA1

                        c00d9323e6c029998f9efdb3d51c1038ea138b42

                        SHA256

                        dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

                        SHA512

                        915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

                      • C:\Users\Admin\AppData\Roaming\tmp.exe

                        MD5

                        7809d89aebc16107af640aecfda94430

                        SHA1

                        c00d9323e6c029998f9efdb3d51c1038ea138b42

                        SHA256

                        dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

                        SHA512

                        915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

                      • \Users\Admin\AppData\Local\Temp\chorme.exe

                        MD5

                        2e5f1cf69f92392f8829fc9c9263ae9b

                        SHA1

                        97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

                        SHA256

                        51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

                        SHA512

                        f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

                      • \Users\Admin\AppData\Roaming\tmp.exe

                        MD5

                        7809d89aebc16107af640aecfda94430

                        SHA1

                        c00d9323e6c029998f9efdb3d51c1038ea138b42

                        SHA256

                        dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

                        SHA512

                        915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

                      • memory/672-70-0x0000000000000000-mapping.dmp

                      • memory/764-60-0x0000000000000000-mapping.dmp

                      • memory/764-73-0x00000000005A0000-0x00000000005A1000-memory.dmp

                      • memory/972-56-0x0000000000000000-mapping.dmp

                      • memory/1308-72-0x0000000000000000-mapping.dmp

                      • memory/1436-75-0x0000000000000000-mapping.dmp

                      • memory/1544-54-0x00000000751D1000-0x00000000751D3000-memory.dmp

                      • memory/1544-55-0x00000000002A0000-0x00000000002A1000-memory.dmp

                      • memory/1756-65-0x0000000000400000-0x000000000040C000-memory.dmp

                      • memory/1756-74-0x00000000021C0000-0x00000000021C1000-memory.dmp

                      • memory/1756-66-0x000000000040748E-mapping.dmp

                      • memory/1836-57-0x0000000000000000-mapping.dmp