Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-12-2021 21:27
Behavioral task
behavioral1
Sample
0eec81702c233690c337241bf260b6cb.exe
Resource
win7-en-20211208
General
-
Target
0eec81702c233690c337241bf260b6cb.exe
-
Size
23KB
-
MD5
0eec81702c233690c337241bf260b6cb
-
SHA1
612bcf1d18bedb0a41ad1332d7a386ae17ffb6f5
-
SHA256
edb3b0b8793cb5d62752e6cf2adf9f6d2e3fb736692d604c1ae63f607f0adbb9
-
SHA512
701f1ae5e8b1d4b6256cf34417570f525606acf5c2c08b48f49c0b2fad6d8c16f97735555527ea738c2d7a7b3d3b3bec9753baba103a98a52bcbd528d3c2a9db
Malware Config
Extracted
njrat
0.7d
Hacking
2.tcp.ngrok.io:19922
e2ad17efa2778f92dcb53a1b843be36d
-
reg_key
e2ad17efa2778f92dcb53a1b843be36d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 524 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2ad17efa2778f92dcb53a1b843be36d.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2ad17efa2778f92dcb53a1b843be36d.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
0eec81702c233690c337241bf260b6cb.exepid process 628 0eec81702c233690c337241bf260b6cb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e2ad17efa2778f92dcb53a1b843be36d = "\"C:\\ProgramData\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\e2ad17efa2778f92dcb53a1b843be36d = "\"C:\\ProgramData\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe Token: 33 524 svchost.exe Token: SeIncBasePriorityPrivilege 524 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0eec81702c233690c337241bf260b6cb.exesvchost.exedescription pid process target process PID 628 wrote to memory of 524 628 0eec81702c233690c337241bf260b6cb.exe svchost.exe PID 628 wrote to memory of 524 628 0eec81702c233690c337241bf260b6cb.exe svchost.exe PID 628 wrote to memory of 524 628 0eec81702c233690c337241bf260b6cb.exe svchost.exe PID 628 wrote to memory of 524 628 0eec81702c233690c337241bf260b6cb.exe svchost.exe PID 524 wrote to memory of 1412 524 svchost.exe netsh.exe PID 524 wrote to memory of 1412 524 svchost.exe netsh.exe PID 524 wrote to memory of 1412 524 svchost.exe netsh.exe PID 524 wrote to memory of 1412 524 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eec81702c233690c337241bf260b6cb.exe"C:\Users\Admin\AppData\Local\Temp\0eec81702c233690c337241bf260b6cb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE3⤵PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0eec81702c233690c337241bf260b6cb
SHA1612bcf1d18bedb0a41ad1332d7a386ae17ffb6f5
SHA256edb3b0b8793cb5d62752e6cf2adf9f6d2e3fb736692d604c1ae63f607f0adbb9
SHA512701f1ae5e8b1d4b6256cf34417570f525606acf5c2c08b48f49c0b2fad6d8c16f97735555527ea738c2d7a7b3d3b3bec9753baba103a98a52bcbd528d3c2a9db
-
MD5
0eec81702c233690c337241bf260b6cb
SHA1612bcf1d18bedb0a41ad1332d7a386ae17ffb6f5
SHA256edb3b0b8793cb5d62752e6cf2adf9f6d2e3fb736692d604c1ae63f607f0adbb9
SHA512701f1ae5e8b1d4b6256cf34417570f525606acf5c2c08b48f49c0b2fad6d8c16f97735555527ea738c2d7a7b3d3b3bec9753baba103a98a52bcbd528d3c2a9db
-
MD5
0eec81702c233690c337241bf260b6cb
SHA1612bcf1d18bedb0a41ad1332d7a386ae17ffb6f5
SHA256edb3b0b8793cb5d62752e6cf2adf9f6d2e3fb736692d604c1ae63f607f0adbb9
SHA512701f1ae5e8b1d4b6256cf34417570f525606acf5c2c08b48f49c0b2fad6d8c16f97735555527ea738c2d7a7b3d3b3bec9753baba103a98a52bcbd528d3c2a9db