Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 17:07
Static task
static1
Behavioral task
behavioral1
Sample
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
Resource
win10v20210408
General
-
Target
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
-
Size
455KB
-
MD5
aba309cde7801d52d82898085394fd7a
-
SHA1
5ca6bbeaff94b94ad7e8c54029d3096bcd4e914e
-
SHA256
4159e161e24f40bd4964eb53aaea050b685a4aa2b3bac12631180a6a9a403ad7
-
SHA512
567141b32102ec37954437c99bd633bdc4bcd073a1d91146fc9a81b74365bb9d69917ec076c6549843aac23d56641900e09fce76e0236a024e2ae856cf34e6b5
Malware Config
Extracted
njrat
im523
14.04.2017
ytka.duckdns.org:1604
ed423977d6a5549373be05c39703ea7d
-
reg_key
ed423977d6a5549373be05c39703ea7d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 4 IoCs
Processes:
BitsProg.exedoclan.execonhost.execonhost.exepid process 1032 BitsProg.exe 1164 doclan.exe 1528 conhost.exe 1304 conhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
doclan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
conhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\ProgramData\doclan.exe nsis_installer_1 C:\ProgramData\doclan.exe nsis_installer_2 C:\ProgramData\doclan.exe nsis_installer_1 C:\ProgramData\doclan.exe nsis_installer_2 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2056 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe 1304 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 1304 conhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
taskkill.execonhost.exedescription pid process Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe Token: 33 1304 conhost.exe Token: SeIncBasePriorityPrivilege 1304 conhost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exedoclan.execonhost.execonhost.exedescription pid process target process PID 900 wrote to memory of 1032 900 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe BitsProg.exe PID 900 wrote to memory of 1032 900 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe BitsProg.exe PID 900 wrote to memory of 1164 900 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 900 wrote to memory of 1164 900 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 900 wrote to memory of 1164 900 4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe doclan.exe PID 1164 wrote to memory of 1528 1164 doclan.exe conhost.exe PID 1164 wrote to memory of 1528 1164 doclan.exe conhost.exe PID 1528 wrote to memory of 1304 1528 conhost.exe conhost.exe PID 1528 wrote to memory of 1304 1528 conhost.exe conhost.exe PID 1304 wrote to memory of 1344 1304 conhost.exe netsh.exe PID 1304 wrote to memory of 1344 1304 conhost.exe netsh.exe PID 1304 wrote to memory of 2056 1304 conhost.exe taskkill.exe PID 1304 wrote to memory of 2056 1304 conhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe"C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BitsProg.exe"C:\ProgramData\BitsProg.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\doclan.exe"C:\ProgramData\doclan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\conhost.exeC:\Users\Admin\AppData\Roaming\conhost.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE5⤵
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BitsProg.exeMD5
4aba833aab8032707642515bebc59d1b
SHA1d5079efd8335aa23162f0165abf426d21a105607
SHA256822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad
SHA51225c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14
-
C:\ProgramData\BitsProg.exeMD5
4aba833aab8032707642515bebc59d1b
SHA1d5079efd8335aa23162f0165abf426d21a105607
SHA256822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad
SHA51225c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14
-
C:\ProgramData\doclan.exeMD5
b9388102124c0d070b2ae86908938b41
SHA1bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6
SHA256f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779
SHA512f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438
-
C:\ProgramData\doclan.exeMD5
b9388102124c0d070b2ae86908938b41
SHA1bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6
SHA256f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779
SHA512f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
4252bfc7065ad227b5ee7458e3670d2e
SHA17153bdb8152a29d1d3f5911df07bf8725d380d30
SHA256e5456fe707c888b0183c697a07511d7d9fb068a028f37653b2c5cc032ec81a1b
SHA5121fe2ddfc524962beb0b1ff320ea458fe71c172fc1e63cad8416cfe123177d8c4aa437f8415d8f7d26ab572ce327be66c99a055d0c15514e3d0c1d33d9a823abd
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
00a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/1032-116-0x0000000000000000-mapping.dmp
-
memory/1032-119-0x000002B12AF50000-0x000002B12AF51000-memory.dmpFilesize
4KB
-
memory/1032-132-0x000002B145564000-0x000002B145566000-memory.dmpFilesize
8KB
-
memory/1032-123-0x000002B145560000-0x000002B145562000-memory.dmpFilesize
8KB
-
memory/1032-130-0x000002B145562000-0x000002B145564000-memory.dmpFilesize
8KB
-
memory/1164-121-0x0000000000000000-mapping.dmp
-
memory/1304-148-0x000000001B5E4000-0x000000001B5E6000-memory.dmpFilesize
8KB
-
memory/1304-146-0x000000001B5E0000-0x000000001B5E2000-memory.dmpFilesize
8KB
-
memory/1304-147-0x000000001B5E2000-0x000000001B5E4000-memory.dmpFilesize
8KB
-
memory/1304-139-0x0000000000000000-mapping.dmp
-
memory/1344-152-0x0000000000000000-mapping.dmp
-
memory/1528-131-0x000000001B450000-0x000000001B452000-memory.dmpFilesize
8KB
-
memory/1528-138-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB
-
memory/1528-137-0x0000000002610000-0x000000000261A000-memory.dmpFilesize
40KB
-
memory/1528-136-0x000000001AB50000-0x000000001AB51000-memory.dmpFilesize
4KB
-
memory/1528-134-0x000000001B452000-0x000000001B454000-memory.dmpFilesize
8KB
-
memory/1528-135-0x000000001B454000-0x000000001B456000-memory.dmpFilesize
8KB
-
memory/1528-133-0x000000001E3E0000-0x000000001E3E1000-memory.dmpFilesize
4KB
-
memory/1528-128-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1528-125-0x0000000000000000-mapping.dmp
-
memory/2056-153-0x0000000000000000-mapping.dmp