Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
03-10-2021 22:12
Behavioral task
behavioral1
Sample
NewStub.exe
Resource
win7-en-20210920
General
-
Target
NewStub.exe
-
Size
36KB
-
MD5
ae0911261255e0743dcecc6c3245abdf
-
SHA1
c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
-
SHA256
84f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
-
SHA512
730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
Malware Config
Extracted
njrat
0.7d
HacKed
e99e462d99ad204bdf7d672852a4e30a
-
reg_key
e99e462d99ad204bdf7d672852a4e30a
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1684 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e99e462d99ad204bdf7d672852a4e30a.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e99e462d99ad204bdf7d672852a4e30a.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
NewStub.exepid process 1272 NewStub.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\e99e462d99ad204bdf7d672852a4e30a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e99e462d99ad204bdf7d672852a4e30a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe Token: 33 1684 svchost.exe Token: SeIncBasePriorityPrivilege 1684 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
NewStub.exesvchost.exedescription pid process target process PID 1272 wrote to memory of 1684 1272 NewStub.exe svchost.exe PID 1272 wrote to memory of 1684 1272 NewStub.exe svchost.exe PID 1272 wrote to memory of 1684 1272 NewStub.exe svchost.exe PID 1272 wrote to memory of 1684 1272 NewStub.exe svchost.exe PID 1684 wrote to memory of 672 1684 svchost.exe netsh.exe PID 1684 wrote to memory of 672 1684 svchost.exe netsh.exe PID 1684 wrote to memory of 672 1684 svchost.exe netsh.exe PID 1684 wrote to memory of 672 1684 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NewStub.exe"C:\Users\Admin\AppData\Local\Temp\NewStub.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ae0911261255e0743dcecc6c3245abdf
SHA1c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
SHA25684f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
SHA512730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ae0911261255e0743dcecc6c3245abdf
SHA1c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
SHA25684f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
SHA512730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ae0911261255e0743dcecc6c3245abdf
SHA1c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
SHA25684f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
SHA512730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
-
memory/672-61-0x0000000000000000-mapping.dmp
-
memory/1272-53-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1272-54-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1684-56-0x0000000000000000-mapping.dmp
-
memory/1684-60-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/1684-63-0x0000000000C31000-0x0000000000C32000-memory.dmpFilesize
4KB
-
memory/1684-64-0x0000000000C36000-0x0000000000C47000-memory.dmpFilesize
68KB