Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 18:07
Behavioral task
behavioral1
Sample
dd5f2accefc6c6e3f0ffaa939e7466b0.exe
Resource
win7-en-20211208
General
-
Target
dd5f2accefc6c6e3f0ffaa939e7466b0.exe
-
Size
93KB
-
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0
-
SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
-
SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
-
SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
Malware Config
Extracted
njrat
0.7d
HacKed
aXZpendpei5kZG5zLm5ldAStrikStrik:MTEyMg==
2fc48b1a11b49734cf2eee30891a9de9
-
reg_key
2fc48b1a11b49734cf2eee30891a9de9
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3040 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Javax64.exe server.exe File opened for modification C:\Windows\SysWOW64\Javax64.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3040 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe Token: 33 3040 server.exe Token: SeIncBasePriorityPrivilege 3040 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd5f2accefc6c6e3f0ffaa939e7466b0.exeserver.exedescription pid process target process PID 3380 wrote to memory of 3040 3380 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 3380 wrote to memory of 3040 3380 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 3380 wrote to memory of 3040 3380 dd5f2accefc6c6e3f0ffaa939e7466b0.exe server.exe PID 3040 wrote to memory of 4016 3040 server.exe netsh.exe PID 3040 wrote to memory of 4016 3040 server.exe netsh.exe PID 3040 wrote to memory of 4016 3040 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe"C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appMD5
c60feebd511c87b86dea130692995a0f
SHA1d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a
SHA256632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511
SHA512bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
dd5f2accefc6c6e3f0ffaa939e7466b0
SHA19acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA25601a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
-
C:\Users\Admin\AppData\Roaming\server.exeMD5
dd5f2accefc6c6e3f0ffaa939e7466b0
SHA19acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA25601a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e
-
memory/3040-116-0x0000000000000000-mapping.dmp
-
memory/3040-120-0x0000000002790000-0x0000000002791000-memory.dmpFilesize
4KB
-
memory/3380-115-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/4016-121-0x0000000000000000-mapping.dmp