Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-10-2021 22:12
Behavioral task
behavioral1
Sample
NewStub.exe
Resource
win7-en-20210920
General
-
Target
NewStub.exe
-
Size
36KB
-
MD5
ae0911261255e0743dcecc6c3245abdf
-
SHA1
c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
-
SHA256
84f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
-
SHA512
730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
Malware Config
Extracted
njrat
0.7d
HacKed
e99e462d99ad204bdf7d672852a4e30a
-
reg_key
e99e462d99ad204bdf7d672852a4e30a
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1152 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e99e462d99ad204bdf7d672852a4e30a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e99e462d99ad204bdf7d672852a4e30a.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\e99e462d99ad204bdf7d672852a4e30a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e99e462d99ad204bdf7d672852a4e30a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
NewStub.exesvchost.exedescription pid process Token: SeDebugPrivilege 804 NewStub.exe Token: SeDebugPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe Token: 33 1152 svchost.exe Token: SeIncBasePriorityPrivilege 1152 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
NewStub.exesvchost.exedescription pid process target process PID 804 wrote to memory of 1152 804 NewStub.exe svchost.exe PID 804 wrote to memory of 1152 804 NewStub.exe svchost.exe PID 804 wrote to memory of 1152 804 NewStub.exe svchost.exe PID 1152 wrote to memory of 1616 1152 svchost.exe netsh.exe PID 1152 wrote to memory of 1616 1152 svchost.exe netsh.exe PID 1152 wrote to memory of 1616 1152 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NewStub.exe"C:\Users\Admin\AppData\Local\Temp\NewStub.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ae0911261255e0743dcecc6c3245abdf
SHA1c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
SHA25684f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
SHA512730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ae0911261255e0743dcecc6c3245abdf
SHA1c9c6abfc195be44d02e8a79361821ff8d5e1b1c1
SHA25684f5ec233777bbb8beff694828b95279e0167d48b2cfdd9f1f9385c6fdfdcc3d
SHA512730ed33b1a196f05746aeb44edce872c2b9a2d2ebfd0e3fa86864eadf6d08899497d01b6c225ba1344a579b1dfb5087fe5f7ca0f13f089bb3aaed7c1bb95f004
-
memory/804-114-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1152-115-0x0000000000000000-mapping.dmp
-
memory/1152-118-0x0000000003701000-0x0000000003702000-memory.dmpFilesize
4KB
-
memory/1152-120-0x0000000003712000-0x0000000003713000-memory.dmpFilesize
4KB
-
memory/1152-121-0x0000000003702000-0x0000000003703000-memory.dmpFilesize
4KB
-
memory/1616-119-0x0000000000000000-mapping.dmp