Analysis

  • max time kernel
    144s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    02-11-2021 14:31

General

  • Target

    Q4EtLThkYlEkFvu.exe

  • Size

    474KB

  • MD5

    18156edcb0549e6e856811b5a57b951d

  • SHA1

    c9c773a0157562c8fa800aad23c670486fd63fbd

  • SHA256

    8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207

  • SHA512

    c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

order1

C2

45.137.22.146:5553

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe
    "C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E87.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4716
    • C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe
      "C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\Payload.exe
        "C:\Windows\Payload.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49B.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3884
        • C:\Windows\Payload.exe
          "C:\Windows\Payload.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Suspicious use of AdjustPrivilegeToken
          PID:4428
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Windows\Payload.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4EtLThkYlEkFvu.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
    MD5

    46562a709e5ec2dab9696cb27bd33b74

    SHA1

    aabc178c30e55066ce607209890032a61c0ea6f8

    SHA256

    fa1e5acb0728a372781bad0a82d0951ff90e12d4bbdcd2ddb42c444388b64d21

    SHA512

    309d3974ae4a84e763cff4000f7c52b84172ebfca7b1e7ce4eb077c54264a4cd3462d4e1d33a595b25bb64a10697f43dc56230caf30836b840a773e1490b69a3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
    MD5

    b4fdc94f9046fd37a2e3eb86a3a90b2e

    SHA1

    c66dcf4da9990d7c5e05e746014959b2d6cafdbf

    SHA256

    7932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37

    SHA512

    64d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef

  • C:\Windows\Payload.exe
    MD5

    18156edcb0549e6e856811b5a57b951d

    SHA1

    c9c773a0157562c8fa800aad23c670486fd63fbd

    SHA256

    8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207

    SHA512

    c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775

  • C:\Windows\Payload.exe
    MD5

    18156edcb0549e6e856811b5a57b951d

    SHA1

    c9c773a0157562c8fa800aad23c670486fd63fbd

    SHA256

    8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207

    SHA512

    c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775

  • C:\Windows\Payload.exe
    MD5

    18156edcb0549e6e856811b5a57b951d

    SHA1

    c9c773a0157562c8fa800aad23c670486fd63fbd

    SHA256

    8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207

    SHA512

    c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775

  • memory/1436-142-0x0000000004B70000-0x000000000506E000-memory.dmp
    Filesize

    5.0MB

  • memory/1436-132-0x0000000000000000-mapping.dmp
  • memory/1652-136-0x0000000000000000-mapping.dmp
  • memory/3500-122-0x0000000008C80000-0x0000000008C81000-memory.dmp
    Filesize

    4KB

  • memory/3500-119-0x00000000056D0000-0x00000000056D1000-memory.dmp
    Filesize

    4KB

  • memory/3500-117-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
    Filesize

    4KB

  • memory/3500-118-0x0000000005700000-0x0000000005701000-memory.dmp
    Filesize

    4KB

  • memory/3500-123-0x0000000008D20000-0x0000000008D4C000-memory.dmp
    Filesize

    176KB

  • memory/3500-115-0x0000000000E00000-0x0000000000E01000-memory.dmp
    Filesize

    4KB

  • memory/3500-121-0x00000000057E0000-0x0000000005CDE000-memory.dmp
    Filesize

    5.0MB

  • memory/3500-120-0x00000000057C0000-0x00000000057C7000-memory.dmp
    Filesize

    28KB

  • memory/3884-145-0x0000000000000000-mapping.dmp
  • memory/4404-126-0x000000000040836E-mapping.dmp
  • memory/4404-125-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

  • memory/4428-147-0x000000000040836E-mapping.dmp
  • memory/4428-156-0x0000000006140000-0x0000000006141000-memory.dmp
    Filesize

    4KB

  • memory/4428-159-0x00000000063C0000-0x00000000063C1000-memory.dmp
    Filesize

    4KB

  • memory/4716-124-0x0000000000000000-mapping.dmp