Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 17:07
Static task
static1
Behavioral task
behavioral1
Sample
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
Resource
win10v20210408
General
-
Target
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
-
Size
455KB
-
MD5
aba309cde7801d52d82898085394fd7a
-
SHA1
5ca6bbeaff94b94ad7e8c54029d3096bcd4e914e
-
SHA256
4159e161e24f40bd4964eb53aaea050b685a4aa2b3bac12631180a6a9a403ad7
-
SHA512
567141b32102ec37954437c99bd633bdc4bcd073a1d91146fc9a81b74365bb9d69917ec076c6549843aac23d56641900e09fce76e0236a024e2ae856cf34e6b5
Malware Config
Extracted
njrat
im523
14.04.2017
ytka.duckdns.org:1604
ed423977d6a5549373be05c39703ea7d
-
reg_key
ed423977d6a5549373be05c39703ea7d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 4 IoCs
Processes:
BitsProg.exedoclan.execonhost.execonhost.exepid process 1680 BitsProg.exe 812 doclan.exe 1900 conhost.exe 1200 conhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
doclan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe -
Loads dropped DLL 3 IoCs
Processes:
doclan.exepid process 812 doclan.exe 812 doclan.exe 812 doclan.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
conhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\ProgramData\doclan.exe nsis_installer_1 C:\ProgramData\doclan.exe nsis_installer_2 C:\ProgramData\doclan.exe nsis_installer_1 C:\ProgramData\doclan.exe nsis_installer_2 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1156 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe 1200 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 1200 conhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
taskkill.execonhost.exedescription pid process Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exedoclan.execonhost.execonhost.exedescription pid process target process PID 1128 wrote to memory of 1680 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe BitsProg.exe PID 1128 wrote to memory of 1680 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe BitsProg.exe PID 1128 wrote to memory of 1680 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe BitsProg.exe PID 1128 wrote to memory of 812 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 1128 wrote to memory of 812 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 1128 wrote to memory of 812 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 1128 wrote to memory of 812 1128 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 812 wrote to memory of 1900 812 doclan.exe conhost.exe PID 812 wrote to memory of 1900 812 doclan.exe conhost.exe PID 812 wrote to memory of 1900 812 doclan.exe conhost.exe PID 812 wrote to memory of 1900 812 doclan.exe conhost.exe PID 1900 wrote to memory of 1200 1900 conhost.exe conhost.exe PID 1900 wrote to memory of 1200 1900 conhost.exe conhost.exe PID 1900 wrote to memory of 1200 1900 conhost.exe conhost.exe PID 1200 wrote to memory of 1616 1200 conhost.exe netsh.exe PID 1200 wrote to memory of 1616 1200 conhost.exe netsh.exe PID 1200 wrote to memory of 1616 1200 conhost.exe netsh.exe PID 1200 wrote to memory of 1156 1200 conhost.exe taskkill.exe PID 1200 wrote to memory of 1156 1200 conhost.exe taskkill.exe PID 1200 wrote to memory of 1156 1200 conhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe"C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BitsProg.exe"C:\ProgramData\BitsProg.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\doclan.exe"C:\ProgramData\doclan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\conhost.exeC:\Users\Admin\AppData\Roaming\conhost.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE5⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BitsProg.exeMD5
4aba833aab8032707642515bebc59d1b
SHA1d5079efd8335aa23162f0165abf426d21a105607
SHA256822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad
SHA51225c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14
-
C:\ProgramData\BitsProg.exeMD5
4aba833aab8032707642515bebc59d1b
SHA1d5079efd8335aa23162f0165abf426d21a105607
SHA256822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad
SHA51225c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14
-
C:\ProgramData\doclan.exeMD5
b9388102124c0d070b2ae86908938b41
SHA1bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6
SHA256f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779
SHA512f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438
-
C:\ProgramData\doclan.exeMD5
b9388102124c0d070b2ae86908938b41
SHA1bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6
SHA256f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779
SHA512f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
memory/812-62-0x0000000074B41000-0x0000000074B43000-memory.dmpFilesize
8KB
-
memory/812-60-0x0000000000000000-mapping.dmp
-
memory/1128-53-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1156-88-0x0000000000000000-mapping.dmp
-
memory/1200-78-0x0000000000000000-mapping.dmp
-
memory/1200-85-0x000000001B0A5000-0x000000001B0A6000-memory.dmpFilesize
4KB
-
memory/1200-84-0x000000001B086000-0x000000001B0A5000-memory.dmpFilesize
124KB
-
memory/1200-83-0x000000001B080000-0x000000001B082000-memory.dmpFilesize
8KB
-
memory/1200-81-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/1616-89-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/1616-87-0x0000000000000000-mapping.dmp
-
memory/1680-55-0x0000000000000000-mapping.dmp
-
memory/1680-69-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/1680-58-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/1680-74-0x0000000000606000-0x0000000000625000-memory.dmpFilesize
124KB
-
memory/1900-77-0x00000000004A0000-0x00000000004AA000-memory.dmpFilesize
40KB
-
memory/1900-76-0x000000001AE05000-0x000000001AE06000-memory.dmpFilesize
4KB
-
memory/1900-75-0x000000001ADE6000-0x000000001AE05000-memory.dmpFilesize
124KB
-
memory/1900-73-0x000000001ADE0000-0x000000001ADE2000-memory.dmpFilesize
8KB
-
memory/1900-66-0x0000000000000000-mapping.dmp
-
memory/1900-70-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB