Analysis
-
max time kernel
155s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-03-2022 17:49
Static task
static1
Behavioral task
behavioral1
Sample
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
Resource
win10v2004-en-20220112
General
-
Target
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
-
Size
3.2MB
-
MD5
e33258409be6c2628cd2367ce1263386
-
SHA1
286a63a65463122c70eb82dadeb3ecca10aa68bc
-
SHA256
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732
-
SHA512
0a10f5c4421af38785bd8fe672914574994525cfbc489e50c99c6242fead6c2720de4bc105e72db0793565f9b3ce667b28f69c890ae439dad68fab4ee161d5be
Malware Config
Extracted
njrat
im523
hacker
0.tcp.ngrok.io:18133
707b4c9b457e788982fbb6845d3f32eb
-
reg_key
707b4c9b457e788982fbb6845d3f32eb
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
CDS.execrypted.exesvchost.exepid process 572 CDS.exe 1368 crypted.exe 1888 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\707b4c9b457e788982fbb6845d3f32eb.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\707b4c9b457e788982fbb6845d3f32eb.exe svchost.exe -
Loads dropped DLL 10 IoCs
Processes:
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exeCDS.execrypted.exesvchost.exepid process 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe 572 CDS.exe 572 CDS.exe 572 CDS.exe 572 CDS.exe 572 CDS.exe 572 CDS.exe 1368 crypted.exe 1368 crypted.exe 1888 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\707b4c9b457e788982fbb6845d3f32eb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\707b4c9b457e788982fbb6845d3f32eb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CDS.exesvchost.exepid process 572 CDS.exe 572 CDS.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe 1888 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1888 svchost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1888 svchost.exe Token: 33 1888 svchost.exe Token: SeIncBasePriorityPrivilege 1888 svchost.exe Token: 33 1888 svchost.exe Token: SeIncBasePriorityPrivilege 1888 svchost.exe Token: 33 1888 svchost.exe Token: SeIncBasePriorityPrivilege 1888 svchost.exe Token: 33 1888 svchost.exe Token: SeIncBasePriorityPrivilege 1888 svchost.exe Token: 33 1888 svchost.exe Token: SeIncBasePriorityPrivilege 1888 svchost.exe Token: 33 1888 svchost.exe Token: SeIncBasePriorityPrivilege 1888 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 572 CDS.exe 572 CDS.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exeCDS.execrypted.exesvchost.exedescription pid process target process PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 1100 wrote to memory of 572 1100 a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe CDS.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 572 wrote to memory of 1368 572 CDS.exe crypted.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1368 wrote to memory of 1888 1368 crypted.exe svchost.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe PID 1888 wrote to memory of 1824 1888 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe"C:\Users\Admin\AppData\Local\Temp\a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngMD5
340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddMD5
3e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datMD5
d7ab528ef810ec5fd2d679e09bbd20ba
SHA1cd690dbe2bf409c709947626ed85ec87528e01e5
SHA2560781188943a85229f4f8a692f43bdf556c65a8e47496647e9f9bc526c1c55e2d
SHA512446890826462a064e52444819f5696a0d7226d82770c4c0f509e10cfe02f8a1d50bf8f1b79ca9a56e569d64f7222e1a1560d84c9f831698ddfdb19f7833914dd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsMD5
68934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllMD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeMD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllMD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f45f8f7c9061b9176b601b990136267d
SHA19f7d79e890b8a01e89afeebe600de7f8e75beb29
SHA256c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019
SHA5123d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514
-
memory/1100-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/1368-75-0x00000000737F0000-0x0000000073D9B000-memory.dmpFilesize
5.7MB
-
memory/1368-76-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1368-77-0x00000000737F0000-0x0000000073D9B000-memory.dmpFilesize
5.7MB
-
memory/1888-84-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/1888-83-0x00000000737F0000-0x0000000073D9B000-memory.dmpFilesize
5.7MB