Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 13:03
Static task
static1
Behavioral task
behavioral1
Sample
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Resource
win7-en-20210920
General
-
Target
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
-
Size
342KB
-
MD5
ab09790ec8dbb4c257d8a7c0f3a49943
-
SHA1
1b45a0349f77c7e07b725d32a5a32e80c00eef24
-
SHA256
303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
-
SHA512
b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
Malware Config
Extracted
njrat
0.7d
BAYRAMM
cihan05.duckdns.org:1981
47da9b71ec9839dd4ca48977f70dcfda
-
reg_key
47da9b71ec9839dd4ca48977f70dcfda
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
tmp.exechorme.exepid process 764 tmp.exe 1756 chorme.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Loads dropped DLL 2 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exepid process 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription pid process target process PID 1544 set thread context of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1308 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exepid process 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exedescription pid process Token: SeDebugPrivilege 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe Token: SeDebugPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe Token: 33 764 tmp.exe Token: SeIncBasePriorityPrivilege 764 tmp.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exedescription pid process target process PID 1544 wrote to memory of 972 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1544 wrote to memory of 972 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1544 wrote to memory of 972 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1544 wrote to memory of 972 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 972 wrote to memory of 1836 972 cmd.exe reg.exe PID 972 wrote to memory of 1836 972 cmd.exe reg.exe PID 972 wrote to memory of 1836 972 cmd.exe reg.exe PID 972 wrote to memory of 1836 972 cmd.exe reg.exe PID 1544 wrote to memory of 764 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1544 wrote to memory of 764 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1544 wrote to memory of 764 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1544 wrote to memory of 764 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 1756 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 1544 wrote to memory of 672 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1544 wrote to memory of 672 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1544 wrote to memory of 672 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 1544 wrote to memory of 672 1544 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 672 wrote to memory of 1308 672 cmd.exe timeout.exe PID 672 wrote to memory of 1308 672 cmd.exe timeout.exe PID 672 wrote to memory of 1308 672 cmd.exe timeout.exe PID 672 wrote to memory of 1308 672 cmd.exe timeout.exe PID 764 wrote to memory of 1436 764 tmp.exe netsh.exe PID 764 wrote to memory of 1436 764 tmp.exe netsh.exe PID 764 wrote to memory of 1436 764 tmp.exe netsh.exe PID 764 wrote to memory of 1436 764 tmp.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\chorme.exe"C:\Users\Admin\AppData\Local\Temp\chorme.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exeMD5
ab09790ec8dbb4c257d8a7c0f3a49943
SHA11b45a0349f77c7e07b725d32a5a32e80c00eef24
SHA256303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
SHA512b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.batMD5
07ce0d8ff0a8ea3093a6ed6b32e06201
SHA18d4469b75a39cb88db7e98afab6cfdc7248a2b1f
SHA256e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926
SHA51223db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
\Users\Admin\AppData\Local\Temp\chorme.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
memory/672-70-0x0000000000000000-mapping.dmp
-
memory/764-60-0x0000000000000000-mapping.dmp
-
memory/764-73-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/972-56-0x0000000000000000-mapping.dmp
-
memory/1308-72-0x0000000000000000-mapping.dmp
-
memory/1436-75-0x0000000000000000-mapping.dmp
-
memory/1544-54-0x00000000751D1000-0x00000000751D3000-memory.dmpFilesize
8KB
-
memory/1544-55-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1756-66-0x000000000040748E-mapping.dmp
-
memory/1756-65-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1756-74-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/1836-57-0x0000000000000000-mapping.dmp