Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
08-10-2021 05:12
Behavioral task
behavioral1
Sample
a23360923a178f5fa03aa6bc07af76ee.exe
Resource
win7v20210408
General
-
Target
a23360923a178f5fa03aa6bc07af76ee.exe
-
Size
37KB
-
MD5
a23360923a178f5fa03aa6bc07af76ee
-
SHA1
55627fa47a75643c3072389be3dadf4b3346284d
-
SHA256
6daefc6f282bc92111eca7dd24c20c236b209bd1d14d6290ac543c707d60df32
-
SHA512
3d377b57f5b367e84223faff8225cab8083d2612e727ebe555df0eda8fabbdb8123e67ea421f7c04ed516af8a3a8d80e948e6f77ba9bf5cae4d8a1d8be19cf70
Malware Config
Extracted
njrat
im523
HacKed
0.tcp.ngrok.io:17560
e2aebaa00665f100e890d032411c733f
-
reg_key
e2aebaa00665f100e890d032411c733f
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 4352 System.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2aebaa00665f100e890d032411c733f.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2aebaa00665f100e890d032411c733f.exe System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\e2aebaa00665f100e890d032411c733f = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e2aebaa00665f100e890d032411c733f = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
System.exepid process 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe 4352 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 4352 System.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe Token: 33 4352 System.exe Token: SeIncBasePriorityPrivilege 4352 System.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a23360923a178f5fa03aa6bc07af76ee.exeSystem.exedescription pid process target process PID 3644 wrote to memory of 4352 3644 a23360923a178f5fa03aa6bc07af76ee.exe System.exe PID 3644 wrote to memory of 4352 3644 a23360923a178f5fa03aa6bc07af76ee.exe System.exe PID 3644 wrote to memory of 4352 3644 a23360923a178f5fa03aa6bc07af76ee.exe System.exe PID 4352 wrote to memory of 4548 4352 System.exe netsh.exe PID 4352 wrote to memory of 4548 4352 System.exe netsh.exe PID 4352 wrote to memory of 4548 4352 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a23360923a178f5fa03aa6bc07af76ee.exe"C:\Users\Admin\AppData\Local\Temp\a23360923a178f5fa03aa6bc07af76ee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System.exeMD5
a23360923a178f5fa03aa6bc07af76ee
SHA155627fa47a75643c3072389be3dadf4b3346284d
SHA2566daefc6f282bc92111eca7dd24c20c236b209bd1d14d6290ac543c707d60df32
SHA5123d377b57f5b367e84223faff8225cab8083d2612e727ebe555df0eda8fabbdb8123e67ea421f7c04ed516af8a3a8d80e948e6f77ba9bf5cae4d8a1d8be19cf70
-
C:\Users\Admin\AppData\Roaming\System.exeMD5
a23360923a178f5fa03aa6bc07af76ee
SHA155627fa47a75643c3072389be3dadf4b3346284d
SHA2566daefc6f282bc92111eca7dd24c20c236b209bd1d14d6290ac543c707d60df32
SHA5123d377b57f5b367e84223faff8225cab8083d2612e727ebe555df0eda8fabbdb8123e67ea421f7c04ed516af8a3a8d80e948e6f77ba9bf5cae4d8a1d8be19cf70
-
memory/3644-115-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB
-
memory/4352-116-0x0000000000000000-mapping.dmp
-
memory/4352-119-0x0000000001820000-0x0000000001821000-memory.dmpFilesize
4KB
-
memory/4548-120-0x0000000000000000-mapping.dmp