Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
10-11-2021 04:42
Behavioral task
behavioral1
Sample
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
Resource
win7-en-20211104
General
-
Target
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
-
Size
93KB
-
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
-
SHA1
b524af77112c726613fac681ba93d174e5c31932
-
SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
-
SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTIxNjE=
854ee8c16d20a740152aef12b1a29af6
-
reg_key
854ee8c16d20a740152aef12b1a29af6
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 424 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe 424 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 424 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe Token: 33 424 server.exe Token: SeIncBasePriorityPrivilege 424 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exeserver.exedescription pid process target process PID 4208 wrote to memory of 424 4208 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 4208 wrote to memory of 424 4208 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 4208 wrote to memory of 424 4208 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe server.exe PID 424 wrote to memory of 4216 424 server.exe netsh.exe PID 424 wrote to memory of 4216 424 server.exe netsh.exe PID 424 wrote to memory of 4216 424 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1b524af77112c726613fac681ba93d174e5c31932
SHA256376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b
-
C:\Users\Admin\AppData\Roaming\appMD5
fba73ce50d8cfb469ec29a2333b22a85
SHA14b7b6dfb36af4a016301dc065870dd0829db0a55
SHA25656ae4e1144656432194c610e366fb556f7401a9993e75c0007f46397a5ddfa03
SHA512b620d99e15c25e970a09738d14b493b2345ec1eb48737e2983565666a3c052d235712db01a110c9948dc00d62a14fcccf43ccc295f993d673334dc88497c77c7
-
memory/424-119-0x0000000000000000-mapping.dmp
-
memory/424-123-0x0000000002E00000-0x0000000002E01000-memory.dmpFilesize
4KB
-
memory/4208-118-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/4216-124-0x0000000000000000-mapping.dmp