Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-10-2021 06:42
Behavioral task
behavioral1
Sample
8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe
Resource
win7-en-20210920
General
-
Target
8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe
-
Size
23KB
-
MD5
c7b942aee6ebe5d43a3b7398eda1f0ee
-
SHA1
11a0690bd6158cbcc5ddb55282751689df0538ed
-
SHA256
8e8732b9bebc8382e938b48697e79feb4b06528df41fd855b540dce788f6d8b3
-
SHA512
9ce157ef003f80a0b8a88a32bb91d5138a5ead35340ea7bd513a79487cc33fcb830334449015805ef4bf0ae30bdd42eac0c23339129f448e1e945ef7fe50323a
Malware Config
Extracted
njrat
0.7d
MyBot
167.71.56.116:22232
290df5fa05cb4394e161de39f67a971b
-
reg_key
290df5fa05cb4394e161de39f67a971b
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Unmineable.exepid process 1344 Unmineable.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Unmineable.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\290df5fa05cb4394e161de39f67a971b.exe Unmineable.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\290df5fa05cb4394e161de39f67a971b.exe Unmineable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Unmineable.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\290df5fa05cb4394e161de39f67a971b = "\"C:\\Users\\Admin\\AppData\\Roaming\\Unmineable.exe\" .." Unmineable.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\290df5fa05cb4394e161de39f67a971b = "\"C:\\Users\\Admin\\AppData\\Roaming\\Unmineable.exe\" .." Unmineable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Unmineable.exedescription pid process Token: SeDebugPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe Token: 33 1344 Unmineable.exe Token: SeIncBasePriorityPrivilege 1344 Unmineable.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exeUnmineable.exedescription pid process target process PID 1040 wrote to memory of 1344 1040 8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe Unmineable.exe PID 1040 wrote to memory of 1344 1040 8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe Unmineable.exe PID 1040 wrote to memory of 1344 1040 8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe Unmineable.exe PID 1344 wrote to memory of 1544 1344 Unmineable.exe netsh.exe PID 1344 wrote to memory of 1544 1344 Unmineable.exe netsh.exe PID 1344 wrote to memory of 1544 1344 Unmineable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe"C:\Users\Admin\AppData\Local\Temp\8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Unmineable.exe"C:\Users\Admin\AppData\Roaming\Unmineable.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Unmineable.exe" "Unmineable.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Unmineable.exeMD5
c7b942aee6ebe5d43a3b7398eda1f0ee
SHA111a0690bd6158cbcc5ddb55282751689df0538ed
SHA2568e8732b9bebc8382e938b48697e79feb4b06528df41fd855b540dce788f6d8b3
SHA5129ce157ef003f80a0b8a88a32bb91d5138a5ead35340ea7bd513a79487cc33fcb830334449015805ef4bf0ae30bdd42eac0c23339129f448e1e945ef7fe50323a
-
C:\Users\Admin\AppData\Roaming\Unmineable.exeMD5
c7b942aee6ebe5d43a3b7398eda1f0ee
SHA111a0690bd6158cbcc5ddb55282751689df0538ed
SHA2568e8732b9bebc8382e938b48697e79feb4b06528df41fd855b540dce788f6d8b3
SHA5129ce157ef003f80a0b8a88a32bb91d5138a5ead35340ea7bd513a79487cc33fcb830334449015805ef4bf0ae30bdd42eac0c23339129f448e1e945ef7fe50323a
-
memory/1040-114-0x0000000000640000-0x00000000006EE000-memory.dmpFilesize
696KB
-
memory/1344-115-0x0000000000000000-mapping.dmp
-
memory/1344-118-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/1544-119-0x0000000000000000-mapping.dmp