Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
02-11-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
Q4EtLThkYlEkFvu.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Q4EtLThkYlEkFvu.exe
Resource
win10-en-20210920
General
-
Target
Q4EtLThkYlEkFvu.exe
-
Size
474KB
-
MD5
18156edcb0549e6e856811b5a57b951d
-
SHA1
c9c773a0157562c8fa800aad23c670486fd63fbd
-
SHA256
8c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
-
SHA512
c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
Malware Config
Extracted
njrat
v4.0
order1
45.137.22.146:5553
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
Payload.exePayload.exepid process 1436 Payload.exe 4428 Payload.exe -
Drops startup file 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Q4EtLThkYlEkFvu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Q4EtLThkYlEkFvu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Payload.exe" Q4EtLThkYlEkFvu.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exePayload.exedescription pid process target process PID 3500 set thread context of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 1436 set thread context of 4428 1436 Payload.exe Payload.exe -
Drops file in Windows directory 2 IoCs
Processes:
Q4EtLThkYlEkFvu.exeattrib.exedescription ioc process File created C:\Windows\Payload.exe Q4EtLThkYlEkFvu.exe File opened for modification C:\Windows\Payload.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4716 schtasks.exe 3884 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe Token: 33 4428 Payload.exe Token: SeIncBasePriorityPrivilege 4428 Payload.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Q4EtLThkYlEkFvu.exeQ4EtLThkYlEkFvu.exePayload.exedescription pid process target process PID 3500 wrote to memory of 4716 3500 Q4EtLThkYlEkFvu.exe schtasks.exe PID 3500 wrote to memory of 4716 3500 Q4EtLThkYlEkFvu.exe schtasks.exe PID 3500 wrote to memory of 4716 3500 Q4EtLThkYlEkFvu.exe schtasks.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 3500 wrote to memory of 4404 3500 Q4EtLThkYlEkFvu.exe Q4EtLThkYlEkFvu.exe PID 4404 wrote to memory of 1436 4404 Q4EtLThkYlEkFvu.exe Payload.exe PID 4404 wrote to memory of 1436 4404 Q4EtLThkYlEkFvu.exe Payload.exe PID 4404 wrote to memory of 1436 4404 Q4EtLThkYlEkFvu.exe Payload.exe PID 4404 wrote to memory of 1652 4404 Q4EtLThkYlEkFvu.exe attrib.exe PID 4404 wrote to memory of 1652 4404 Q4EtLThkYlEkFvu.exe attrib.exe PID 4404 wrote to memory of 1652 4404 Q4EtLThkYlEkFvu.exe attrib.exe PID 1436 wrote to memory of 3884 1436 Payload.exe schtasks.exe PID 1436 wrote to memory of 3884 1436 Payload.exe schtasks.exe PID 1436 wrote to memory of 3884 1436 Payload.exe schtasks.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe PID 1436 wrote to memory of 4428 1436 Payload.exe Payload.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E87.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"C:\Users\Admin\AppData\Local\Temp\Q4EtLThkYlEkFvu.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yqbepZrEYRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49B.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\Payload.exe"C:\Windows\Payload.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\Payload.exe"3⤵
- Drops file in Windows directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4EtLThkYlEkFvu.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
46562a709e5ec2dab9696cb27bd33b74
SHA1aabc178c30e55066ce607209890032a61c0ea6f8
SHA256fa1e5acb0728a372781bad0a82d0951ff90e12d4bbdcd2ddb42c444388b64d21
SHA512309d3974ae4a84e763cff4000f7c52b84172ebfca7b1e7ce4eb077c54264a4cd3462d4e1d33a595b25bb64a10697f43dc56230caf30836b840a773e1490b69a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
b4fdc94f9046fd37a2e3eb86a3a90b2e
SHA1c66dcf4da9990d7c5e05e746014959b2d6cafdbf
SHA2567932091b665509fce9c35ab4b372ea30cb4a13dd1b8011b586cb840692988d37
SHA51264d2608bcb9242fcd47fa1c2fb1517356aeed5096ad3d15e72e1ca976fa34346524ddaab18c78548074b51a7ecae642e3953d83d8692ac00ef1c777509603cef
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
C:\Windows\Payload.exeMD5
18156edcb0549e6e856811b5a57b951d
SHA1c9c773a0157562c8fa800aad23c670486fd63fbd
SHA2568c6ca1c8128480b39bed5d584b13880534bc0155cf05df5ab5ebd1dc63f53207
SHA512c881d069a6403a22b02ee71dd062fdb6718f23c6c1de859d142dcd9e4c642555c3c5f72bc6b0aa1bab3ff6539a7c59e3415bca0b8f636cfcc5b9dbd5afb39775
-
memory/1436-142-0x0000000004B70000-0x000000000506E000-memory.dmpFilesize
5.0MB
-
memory/1436-132-0x0000000000000000-mapping.dmp
-
memory/1652-136-0x0000000000000000-mapping.dmp
-
memory/3500-122-0x0000000008C80000-0x0000000008C81000-memory.dmpFilesize
4KB
-
memory/3500-119-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3500-117-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/3500-118-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3500-123-0x0000000008D20000-0x0000000008D4C000-memory.dmpFilesize
176KB
-
memory/3500-115-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/3500-121-0x00000000057E0000-0x0000000005CDE000-memory.dmpFilesize
5.0MB
-
memory/3500-120-0x00000000057C0000-0x00000000057C7000-memory.dmpFilesize
28KB
-
memory/3884-145-0x0000000000000000-mapping.dmp
-
memory/4404-126-0x000000000040836E-mapping.dmp
-
memory/4404-125-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4428-147-0x000000000040836E-mapping.dmp
-
memory/4428-156-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/4428-159-0x00000000063C0000-0x00000000063C1000-memory.dmpFilesize
4KB
-
memory/4716-124-0x0000000000000000-mapping.dmp