Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
10-11-2021 04:42
Behavioral task
behavioral1
Sample
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
Resource
win7-en-20211104
General
-
Target
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
-
Size
93KB
-
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
-
SHA1
b524af77112c726613fac681ba93d174e5c31932
-
SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
-
SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTIxNjE=
854ee8c16d20a740152aef12b1a29af6
-
reg_key
854ee8c16d20a740152aef12b1a29af6
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 820 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exepid process 1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe 1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe 820 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 820 server.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe Token: 33 820 server.exe Token: SeIncBasePriorityPrivilege 820 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exeserver.exedescription pid process target process PID 1052 wrote to memory of 820 1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 1052 wrote to memory of 820 1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 1052 wrote to memory of 820 1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 1052 wrote to memory of 820 1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 820 wrote to memory of 1124 820 server.exe netsh.exe PID 820 wrote to memory of 1124 820 server.exe netsh.exe PID 820 wrote to memory of 1124 820 server.exe netsh.exe PID 820 wrote to memory of 1124 820 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
C:\Users\Admin\AppData\Roaming\appMD5
a65a8cc18c0fdcac3b78ed8f032e2f98
SHA19087f7aaf4edf3b132348b1e5dfa7a678d57d40e
SHA256ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a
SHA5128e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
memory/820-59-0x0000000000000000-mapping.dmp
-
memory/820-64-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1052-55-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1052-56-0x00000000020E0000-0x00000000020E1000-memory.dmpFilesize
4KB
-
memory/1124-65-0x0000000000000000-mapping.dmp