Analysis

  • max time kernel
    153s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    08-10-2021 11:21

General

  • Target

    8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe

  • Size

    22.1MB

  • MD5

    c8b74e3eb7f08d7f22a5979b6035db99

  • SHA1

    9a240b60ed6fa9593b3581a98a97d73e9bcf313d

  • SHA256

    8d09712c6f3ed0173113b57d0835b1b7d32f2ee008143a6bdec9390aee412c57

  • SHA512

    e54bced3674f53ba056ae35284777241a48b62948ae116cdedbdf4136b4fbe27460956854718e8160fadd36509817e11ada10bd56927e4b83f41af5411a074c1

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MNC7.6

C2

ddnsrtm.ddns.net:5552

Mutex

f32485db280ee39a17bf49b4a2d24db6

Attributes
  • reg_key

    f32485db280ee39a17bf49b4a2d24db6

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
    "C:\Users\Admin\AppData\Local\Temp\8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\m2964.exe
      "C:\Windows\m2964.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\29.vbs"
        3⤵
          PID:1188
        • C:\Windows\mncc64.exe
          "C:\Windows\mncc64.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
              5⤵
                PID:1748
        • C:\Windows\manyc5m.exe
          "C:\Windows\manyc5m.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1168
          • C:\Program Files (x86)\ManyCam\ManyCam.exe
            "C:\Program Files (x86)\ManyCam\ManyCam.exe"
            3⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Identifies Wine through registry keys
            PID:1736

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\ManyCam\ManyCam.exe

        MD5

        ecd3ec2aba759770e129440aa5985c96

        SHA1

        97953d72151bcaa2e3c4fdddc7880fcca941c326

        SHA256

        961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

        SHA512

        8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        MD5

        5e8442e948b384d2c205a784a1b99e8f

        SHA1

        b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

        SHA256

        a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

        SHA512

        b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        MD5

        5e8442e948b384d2c205a784a1b99e8f

        SHA1

        b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

        SHA256

        a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

        SHA512

        b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

      • C:\Windows\29.vbs

        MD5

        075b46ba25b7801dd128da786f8f5b84

        SHA1

        c18dda8bcc9607fd605223c66a7c733f288b38c7

        SHA256

        732677effcbb076611beccb4e258acf5917d18e237b113204222f816dc7736fa

        SHA512

        d90bf50a146b0d481c36462a075d0c2a118accdba28ebbdcfd13164fcefdb369c51b97f89a4a6489d1ca8eaa4282f0654c9ac4c46c6badc15eaf87c33693459b

      • C:\Windows\m2964.exe

        MD5

        d26080d79bc91999c0cf59e59533905b

        SHA1

        69f8528b78a2ff8607391ebc70153531c34e327b

        SHA256

        813529161d892d292ab69661c7db138432ce39d412b493ebb5baf21abcfd2f25

        SHA512

        e820af1ed8c7e8c806f267af49eb6918947f745b54cfe17cb53ea4314a0a31516088b998b275e61b805264f2156d34150b0753473f28e5adbc003b27514900ba

      • C:\Windows\m2964.exe

        MD5

        d26080d79bc91999c0cf59e59533905b

        SHA1

        69f8528b78a2ff8607391ebc70153531c34e327b

        SHA256

        813529161d892d292ab69661c7db138432ce39d412b493ebb5baf21abcfd2f25

        SHA512

        e820af1ed8c7e8c806f267af49eb6918947f745b54cfe17cb53ea4314a0a31516088b998b275e61b805264f2156d34150b0753473f28e5adbc003b27514900ba

      • C:\Windows\manyc5m.exe

        MD5

        ffb0bcca45bd134426dc2ccc19599ce6

        SHA1

        0ecf6d8754315406b533d26a0f42b3518562a4ce

        SHA256

        f125fe67c68ab8d18b18ddc14a0d61cb034f2ef0936344b7edfdfe641633a8fe

        SHA512

        403e861d87fcc07bfe704dc77b3b700e01d7e958d65465a97bf3566616607bad39239f3b45684a4a9ac27e99a8c356213619812fa4ef47d92be11559239af0ad

      • C:\Windows\manyc5m.exe

        MD5

        ffb0bcca45bd134426dc2ccc19599ce6

        SHA1

        0ecf6d8754315406b533d26a0f42b3518562a4ce

        SHA256

        f125fe67c68ab8d18b18ddc14a0d61cb034f2ef0936344b7edfdfe641633a8fe

        SHA512

        403e861d87fcc07bfe704dc77b3b700e01d7e958d65465a97bf3566616607bad39239f3b45684a4a9ac27e99a8c356213619812fa4ef47d92be11559239af0ad

      • C:\Windows\mncc64.exe

        MD5

        5e8442e948b384d2c205a784a1b99e8f

        SHA1

        b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

        SHA256

        a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

        SHA512

        b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

      • C:\Windows\mncc64.exe

        MD5

        5e8442e948b384d2c205a784a1b99e8f

        SHA1

        b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

        SHA256

        a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

        SHA512

        b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

      • \Program Files (x86)\ManyCam\ManyCam.exe

        MD5

        ecd3ec2aba759770e129440aa5985c96

        SHA1

        97953d72151bcaa2e3c4fdddc7880fcca941c326

        SHA256

        961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

        SHA512

        8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

      • \Program Files (x86)\ManyCam\ManyCam.exe

        MD5

        ecd3ec2aba759770e129440aa5985c96

        SHA1

        97953d72151bcaa2e3c4fdddc7880fcca941c326

        SHA256

        961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

        SHA512

        8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

      • \Program Files (x86)\ManyCam\ManyCam.exe

        MD5

        ecd3ec2aba759770e129440aa5985c96

        SHA1

        97953d72151bcaa2e3c4fdddc7880fcca941c326

        SHA256

        961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

        SHA512

        8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

      • \Program Files (x86)\ManyCam\ManyCam.exe

        MD5

        ecd3ec2aba759770e129440aa5985c96

        SHA1

        97953d72151bcaa2e3c4fdddc7880fcca941c326

        SHA256

        961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

        SHA512

        8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

      • \Users\Admin\AppData\Roaming\svchost.exe

        MD5

        5e8442e948b384d2c205a784a1b99e8f

        SHA1

        b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

        SHA256

        a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

        SHA512

        b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

      • memory/684-84-0x0000000000000000-mapping.dmp

      • memory/684-88-0x00000000009F0000-0x00000000009F1000-memory.dmp

        Filesize

        4KB

      • memory/1116-61-0x0000000000000000-mapping.dmp

      • memory/1168-65-0x0000000000000000-mapping.dmp

      • memory/1188-69-0x0000000000000000-mapping.dmp

      • memory/1736-80-0x0000000000000000-mapping.dmp

      • memory/1748-89-0x0000000000000000-mapping.dmp

      • memory/1824-60-0x0000000075D51000-0x0000000075D53000-memory.dmp

        Filesize

        8KB

      • memory/1980-82-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

      • memory/1980-70-0x0000000000000000-mapping.dmp