Analysis
-
max time kernel
153s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07-12-2021 17:28
Behavioral task
behavioral1
Sample
a2105798edb6b4164a60c200ad1c4e3a.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
a2105798edb6b4164a60c200ad1c4e3a.exe
Resource
win10-en-20211104
General
-
Target
a2105798edb6b4164a60c200ad1c4e3a.exe
-
Size
27KB
-
MD5
a2105798edb6b4164a60c200ad1c4e3a
-
SHA1
2d9a66acba0e05de797f82d4a7b1d266d057078c
-
SHA256
746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469
-
SHA512
7ae2ff37e92b1f1e8d67b2963449d6dc9d10b7ba2d0920e10439f88ce9ff495510760ff500e4c290c2b48a51b6ace0f14cefe0020240b1c846a1594db4174088
Malware Config
Extracted
njrat
v2.0
HacKed
melhortrojanrerer.duckdns.org:5552
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 3980 system.exe -
Drops startup file 4 IoCs
Processes:
a2105798edb6b4164a60c200ad1c4e3a.exesystem.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk a2105798edb6b4164a60c200ad1c4e3a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk system.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe system.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe system.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
system.exea2105798edb6b4164a60c200ad1c4e3a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe" a2105798edb6b4164a60c200ad1c4e3a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe Token: 33 3980 system.exe Token: SeIncBasePriorityPrivilege 3980 system.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a2105798edb6b4164a60c200ad1c4e3a.exedescription pid process target process PID 2396 wrote to memory of 3980 2396 a2105798edb6b4164a60c200ad1c4e3a.exe system.exe PID 2396 wrote to memory of 3980 2396 a2105798edb6b4164a60c200ad1c4e3a.exe system.exe PID 2396 wrote to memory of 3980 2396 a2105798edb6b4164a60c200ad1c4e3a.exe system.exe PID 2396 wrote to memory of 1348 2396 a2105798edb6b4164a60c200ad1c4e3a.exe attrib.exe PID 2396 wrote to memory of 1348 2396 a2105798edb6b4164a60c200ad1c4e3a.exe attrib.exe PID 2396 wrote to memory of 1348 2396 a2105798edb6b4164a60c200ad1c4e3a.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2105798edb6b4164a60c200ad1c4e3a.exe"C:\Users\Admin\AppData\Local\Temp\a2105798edb6b4164a60c200ad1c4e3a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeMD5
a2105798edb6b4164a60c200ad1c4e3a
SHA12d9a66acba0e05de797f82d4a7b1d266d057078c
SHA256746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469
SHA5127ae2ff37e92b1f1e8d67b2963449d6dc9d10b7ba2d0920e10439f88ce9ff495510760ff500e4c290c2b48a51b6ace0f14cefe0020240b1c846a1594db4174088
-
C:\Users\Admin\AppData\Local\Temp\system.exeMD5
a2105798edb6b4164a60c200ad1c4e3a
SHA12d9a66acba0e05de797f82d4a7b1d266d057078c
SHA256746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469
SHA5127ae2ff37e92b1f1e8d67b2963449d6dc9d10b7ba2d0920e10439f88ce9ff495510760ff500e4c290c2b48a51b6ace0f14cefe0020240b1c846a1594db4174088
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkMD5
de8251369fa42d8387f3a6b7e26e28ed
SHA1812de09947f98566a945fc550dc40cbd7a09fd1b
SHA2566487d55a15cf8865c91915718554e512aa2a387d33f752e73867a5cca55c92c1
SHA5121b5a265ce3628f372736359fe59caf92e94b8d41837f89046c406821f2d044dcf35d1be14bc6d0b3e20ba5ef8b6668b8295bd8bcbe032b5edf88578f7771bcc1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkMD5
575936fce0f285df7d7975792778a591
SHA19d7d58769f52c14ddefd272d787649b24469a08c
SHA256d1f641656c2b7eff9310bf67674344b1533837fb13336bc881f8956bc3976039
SHA51230972f882b0ff5b2ced8965682b883e6e8f264502c07cda9effc99ea65df4414196dd0bd2eee1524d302253e8991859e2added6fa78a795e4bc96590f33712f6
-
memory/1348-121-0x0000000000000000-mapping.dmp
-
memory/2396-118-0x0000000002CF0000-0x0000000002CF1000-memory.dmpFilesize
4KB
-
memory/3980-119-0x0000000000000000-mapping.dmp
-
memory/3980-125-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB