Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 13:03
Static task
static1
Behavioral task
behavioral1
Sample
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Resource
win7-en-20210920
General
-
Target
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
-
Size
342KB
-
MD5
ab09790ec8dbb4c257d8a7c0f3a49943
-
SHA1
1b45a0349f77c7e07b725d32a5a32e80c00eef24
-
SHA256
303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
-
SHA512
b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
Malware Config
Extracted
njrat
0.7d
BAYRAMM
cihan05.duckdns.org:1981
47da9b71ec9839dd4ca48977f70dcfda
-
reg_key
47da9b71ec9839dd4ca48977f70dcfda
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
tmp.exechorme.exepid process 3736 tmp.exe 656 chorme.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exedescription pid process target process PID 776 set thread context of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1148 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exepid process 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exedescription pid process Token: SeDebugPrivilege 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe Token: SeDebugPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe Token: 33 3736 tmp.exe Token: SeIncBasePriorityPrivilege 3736 tmp.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exedescription pid process target process PID 776 wrote to memory of 524 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 776 wrote to memory of 524 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 776 wrote to memory of 524 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 524 wrote to memory of 2280 524 cmd.exe reg.exe PID 524 wrote to memory of 2280 524 cmd.exe reg.exe PID 524 wrote to memory of 2280 524 cmd.exe reg.exe PID 776 wrote to memory of 3736 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 776 wrote to memory of 3736 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 776 wrote to memory of 3736 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe tmp.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 656 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe PID 776 wrote to memory of 924 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 776 wrote to memory of 924 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 776 wrote to memory of 924 776 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe cmd.exe PID 924 wrote to memory of 1148 924 cmd.exe timeout.exe PID 924 wrote to memory of 1148 924 cmd.exe timeout.exe PID 924 wrote to memory of 1148 924 cmd.exe timeout.exe PID 3736 wrote to memory of 1372 3736 tmp.exe netsh.exe PID 3736 wrote to memory of 1372 3736 tmp.exe netsh.exe PID 3736 wrote to memory of 1372 3736 tmp.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\chorme.exe"C:\Users\Admin\AppData\Local\Temp\chorme.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
810be04867d847b702dd5fa163cb0a66
SHA1fb2a355f356660ba494e70af002d6a728fe64aa7
SHA256e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19
SHA512b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981
-
C:\Users\Admin\AppData\Local\Temp\chorme.exeMD5
810be04867d847b702dd5fa163cb0a66
SHA1fb2a355f356660ba494e70af002d6a728fe64aa7
SHA256e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19
SHA512b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exeMD5
ab09790ec8dbb4c257d8a7c0f3a49943
SHA11b45a0349f77c7e07b725d32a5a32e80c00eef24
SHA256303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
SHA512b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3
-
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.batMD5
07ce0d8ff0a8ea3093a6ed6b32e06201
SHA18d4469b75a39cb88db7e98afab6cfdc7248a2b1f
SHA256e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926
SHA51223db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
7809d89aebc16107af640aecfda94430
SHA1c00d9323e6c029998f9efdb3d51c1038ea138b42
SHA256dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611
SHA512915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e
-
memory/524-115-0x0000000000000000-mapping.dmp
-
memory/656-121-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/656-122-0x000000000040748E-mapping.dmp
-
memory/656-127-0x0000000003080000-0x0000000003081000-memory.dmpFilesize
4KB
-
memory/776-114-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/924-125-0x0000000000000000-mapping.dmp
-
memory/1148-129-0x0000000000000000-mapping.dmp
-
memory/1372-130-0x0000000000000000-mapping.dmp
-
memory/2280-116-0x0000000000000000-mapping.dmp
-
memory/3736-118-0x0000000000000000-mapping.dmp
-
memory/3736-126-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB