Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 18:07
Behavioral task
behavioral1
Sample
dd5f2accefc6c6e3f0ffaa939e7466b0.exe
Resource
win7-en-20211208
General
-
Target
dd5f2accefc6c6e3f0ffaa939e7466b0.exe
-
Size
93KB
-
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0
-
SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
-
SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
-
SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
Malware Config
Extracted
njrat
0.7d
HacKed
aXZpendpei5kZG5zLm5ldAStrikStrik:MTEyMg==
2fc48b1a11b49734cf2eee30891a9de9
-
reg_key
2fc48b1a11b49734cf2eee30891a9de9
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 760 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
dd5f2accefc6c6e3f0ffaa939e7466b0.exepid process 600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe 600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Javax64.exe server.exe File opened for modification C:\Windows\SysWOW64\Javax64.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 760 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe Token: 33 760 server.exe Token: SeIncBasePriorityPrivilege 760 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dd5f2accefc6c6e3f0ffaa939e7466b0.exeserver.exedescription pid process target process PID 600 wrote to memory of 760 600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 600 wrote to memory of 760 600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 600 wrote to memory of 760 600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 600 wrote to memory of 760 600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 760 wrote to memory of 624 760 server.exe netsh.exe PID 760 wrote to memory of 624 760 server.exe netsh.exe PID 760 wrote to memory of 624 760 server.exe netsh.exe PID 760 wrote to memory of 624 760 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe"C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵PID:624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appMD5
8fc22f973bec7f0525710dcf02f05edf
SHA1418f88fe2c59f8d9579994aec4034d785e8ac00c
SHA256ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46
SHA512ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
dd5f2accefc6c6e3f0ffaa939e7466b0
SHA19acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA25601a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
dd5f2accefc6c6e3f0ffaa939e7466b0
SHA19acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA25601a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
-
\Users\Admin\AppData\Roaming\server.exeMD5
dd5f2accefc6c6e3f0ffaa939e7466b0
SHA19acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA25601a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
-
\Users\Admin\AppData\Roaming\server.exeMD5
dd5f2accefc6c6e3f0ffaa939e7466b0
SHA19acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA25601a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
-
memory/600-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/600-55-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/624-64-0x0000000000000000-mapping.dmp
-
memory/760-58-0x0000000000000000-mapping.dmp
-
memory/760-62-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB