303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

General
Target

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

Filesize

342KB

Completed

26-09-2021 13:06

Score
10 /10
MD5

ab09790ec8dbb4c257d8a7c0f3a49943

SHA1

1b45a0349f77c7e07b725d32a5a32e80c00eef24

SHA256

303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

Malware Config

Extracted

Family njrat
Version 0.7d
Botnet BAYRAMM
C2

cihan05.duckdns.org:1981

Attributes
reg_key
47da9b71ec9839dd4ca48977f70dcfda
splitter
|'|'|
Signatures 12

Filter: none

Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • Executes dropped EXE
    tmp.exechorme.exe

    Reported IOCs

    pidprocess
    3736tmp.exe
    656chorme.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
  • Suspicious use of SetThreadContext
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 set thread context of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    1148timeout.exe
  • NTFS ADS
    cmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifiercmd.exe
  • Suspicious behavior: EnumeratesProcesses
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

    Reported IOCs

    pidprocess
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
  • Suspicious use of AdjustPrivilegeToken
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    Token: SeDebugPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
    Token: 333736tmp.exe
    Token: SeIncBasePriorityPrivilege3736tmp.exe
  • Suspicious use of WriteProcessMemory
    303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 wrote to memory of 524776303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 776 wrote to memory of 524776303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 776 wrote to memory of 524776303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 524 wrote to memory of 2280524cmd.exereg.exe
    PID 524 wrote to memory of 2280524cmd.exereg.exe
    PID 524 wrote to memory of 2280524cmd.exereg.exe
    PID 776 wrote to memory of 3736776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 776 wrote to memory of 3736776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 776 wrote to memory of 3736776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 656776303424A6536EEDB027734B0557A32A064CEB0ED35F225.exechorme.exe
    PID 776 wrote to memory of 924776303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 776 wrote to memory of 924776303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 776 wrote to memory of 924776303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.exe
    PID 924 wrote to memory of 1148924cmd.exetimeout.exe
    PID 924 wrote to memory of 1148924cmd.exetimeout.exe
    PID 924 wrote to memory of 1148924cmd.exetimeout.exe
    PID 3736 wrote to memory of 13723736tmp.exenetsh.exe
    PID 3736 wrote to memory of 13723736tmp.exenetsh.exe
    PID 3736 wrote to memory of 13723736tmp.exenetsh.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
    "C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f
        PID:2280
    • C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE
        PID:1372
    • C:\Users\Admin\AppData\Local\Temp\chorme.exe
      "C:\Users\Admin\AppData\Local\Temp\chorme.exe"
      Executes dropped EXE
      PID:656
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat
      Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        Delays execution with timeout.exe
        PID:1148
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\chorme.exe

                        MD5

                        810be04867d847b702dd5fa163cb0a66

                        SHA1

                        fb2a355f356660ba494e70af002d6a728fe64aa7

                        SHA256

                        e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19

                        SHA512

                        b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981

                      • C:\Users\Admin\AppData\Local\Temp\chorme.exe

                        MD5

                        810be04867d847b702dd5fa163cb0a66

                        SHA1

                        fb2a355f356660ba494e70af002d6a728fe64aa7

                        SHA256

                        e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19

                        SHA512

                        b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981

                      • C:\Users\Admin\AppData\Roaming\chorme\chorme.exe

                        MD5

                        ab09790ec8dbb4c257d8a7c0f3a49943

                        SHA1

                        1b45a0349f77c7e07b725d32a5a32e80c00eef24

                        SHA256

                        303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

                        SHA512

                        b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3

                      • C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat

                        MD5

                        07ce0d8ff0a8ea3093a6ed6b32e06201

                        SHA1

                        8d4469b75a39cb88db7e98afab6cfdc7248a2b1f

                        SHA256

                        e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926

                        SHA512

                        23db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60

                      • C:\Users\Admin\AppData\Roaming\tmp.exe

                        MD5

                        7809d89aebc16107af640aecfda94430

                        SHA1

                        c00d9323e6c029998f9efdb3d51c1038ea138b42

                        SHA256

                        dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

                        SHA512

                        915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

                      • C:\Users\Admin\AppData\Roaming\tmp.exe

                        MD5

                        7809d89aebc16107af640aecfda94430

                        SHA1

                        c00d9323e6c029998f9efdb3d51c1038ea138b42

                        SHA256

                        dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

                        SHA512

                        915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

                      • memory/524-115-0x0000000000000000-mapping.dmp

                      • memory/656-127-0x0000000003080000-0x0000000003081000-memory.dmp

                      • memory/656-121-0x0000000000400000-0x000000000040C000-memory.dmp

                      • memory/656-122-0x000000000040748E-mapping.dmp

                      • memory/776-114-0x0000000000B80000-0x0000000000B81000-memory.dmp

                      • memory/924-125-0x0000000000000000-mapping.dmp

                      • memory/1148-129-0x0000000000000000-mapping.dmp

                      • memory/1372-130-0x0000000000000000-mapping.dmp

                      • memory/2280-116-0x0000000000000000-mapping.dmp

                      • memory/3736-126-0x0000000002290000-0x0000000002291000-memory.dmp

                      • memory/3736-118-0x0000000000000000-mapping.dmp