Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-11-2021 02:41
Static task
static1
Behavioral task
behavioral1
Sample
71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe
Resource
win7-en-20211104
General
-
Target
71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe
-
Size
222KB
-
MD5
9ba09fe66a6c0f30ccc1800487e14a33
-
SHA1
56a97a459acf4cd6403eaa174944f1d1db7957c6
-
SHA256
71078d7cf6428403d8e6298613b1d2932d16129a0e033f0c008abd7fb194ba80
-
SHA512
88679b1b788741d52c1a2d443fe4906231d1c7b7aa475bf1b22465d1e51001902f9d42aebc74680217cc69ecb79dbe1bad1e4962452b6416ae8071e6feb310b1
Malware Config
Extracted
njrat
0.7d
180721
185.222.57.203:2282
866d16940c2b513b37047e4f825bb8ff
-
reg_key
866d16940c2b513b37047e4f825bb8ff
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1812 svchost.exe 1104 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\866d16940c2b513b37047e4f825bb8ff.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\866d16940c2b513b37047e4f825bb8ff.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
71078D7CF6428403D8E6298613B1D2932D16129A0E033.exepid process 924 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\866d16940c2b513b37047e4f825bb8ff = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\866d16940c2b513b37047e4f825bb8ff = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe\" .." svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
71078D7CF6428403D8E6298613B1D2932D16129A0E033.exesvchost.exedescription pid process target process PID 1504 set thread context of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1812 set thread context of 1104 1812 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
71078D7CF6428403D8E6298613B1D2932D16129A0E033.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe Token: SeDebugPrivilege 1812 svchost.exe Token: SeDebugPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe Token: 33 1104 svchost.exe Token: SeIncBasePriorityPrivilege 1104 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe71078D7CF6428403D8E6298613B1D2932D16129A0E033.exesvchost.exesvchost.exedescription pid process target process PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 1504 wrote to memory of 924 1504 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe PID 924 wrote to memory of 1812 924 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe svchost.exe PID 924 wrote to memory of 1812 924 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe svchost.exe PID 924 wrote to memory of 1812 924 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe svchost.exe PID 924 wrote to memory of 1812 924 71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1812 wrote to memory of 1104 1812 svchost.exe svchost.exe PID 1104 wrote to memory of 1856 1104 svchost.exe netsh.exe PID 1104 wrote to memory of 1856 1104 svchost.exe netsh.exe PID 1104 wrote to memory of 1856 1104 svchost.exe netsh.exe PID 1104 wrote to memory of 1856 1104 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe"C:\Users\Admin\AppData\Local\Temp\71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\71078D7CF6428403D8E6298613B1D2932D16129A0E033.exeC:\Users\Admin\AppData\Local\Temp\71078D7CF6428403D8E6298613B1D2932D16129A0E033.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeMD5
9ba09fe66a6c0f30ccc1800487e14a33
SHA156a97a459acf4cd6403eaa174944f1d1db7957c6
SHA25671078d7cf6428403d8e6298613b1d2932d16129a0e033f0c008abd7fb194ba80
SHA51288679b1b788741d52c1a2d443fe4906231d1c7b7aa475bf1b22465d1e51001902f9d42aebc74680217cc69ecb79dbe1bad1e4962452b6416ae8071e6feb310b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeMD5
9ba09fe66a6c0f30ccc1800487e14a33
SHA156a97a459acf4cd6403eaa174944f1d1db7957c6
SHA25671078d7cf6428403d8e6298613b1d2932d16129a0e033f0c008abd7fb194ba80
SHA51288679b1b788741d52c1a2d443fe4906231d1c7b7aa475bf1b22465d1e51001902f9d42aebc74680217cc69ecb79dbe1bad1e4962452b6416ae8071e6feb310b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeMD5
9ba09fe66a6c0f30ccc1800487e14a33
SHA156a97a459acf4cd6403eaa174944f1d1db7957c6
SHA25671078d7cf6428403d8e6298613b1d2932d16129a0e033f0c008abd7fb194ba80
SHA51288679b1b788741d52c1a2d443fe4906231d1c7b7aa475bf1b22465d1e51001902f9d42aebc74680217cc69ecb79dbe1bad1e4962452b6416ae8071e6feb310b1
-
\Users\Admin\AppData\Roaming\Microsoft\svchost.exeMD5
9ba09fe66a6c0f30ccc1800487e14a33
SHA156a97a459acf4cd6403eaa174944f1d1db7957c6
SHA25671078d7cf6428403d8e6298613b1d2932d16129a0e033f0c008abd7fb194ba80
SHA51288679b1b788741d52c1a2d443fe4906231d1c7b7aa475bf1b22465d1e51001902f9d42aebc74680217cc69ecb79dbe1bad1e4962452b6416ae8071e6feb310b1
-
memory/924-59-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/924-61-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/924-63-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/924-60-0x000000000040748E-mapping.dmp
-
memory/1104-73-0x000000000040748E-mapping.dmp
-
memory/1104-79-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1504-55-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1504-58-0x00000000004F0000-0x000000000050C000-memory.dmpFilesize
112KB
-
memory/1504-57-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/1812-65-0x0000000000000000-mapping.dmp
-
memory/1812-70-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/1812-68-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/1856-77-0x0000000000000000-mapping.dmp