Analysis

  • max time kernel
    90s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-04-2022 02:09

General

  • Target

    a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe

  • Size

    3.2MB

  • MD5

    763831ebb67edc0547d2caf7c7b999b8

  • SHA1

    c7af5d05e46416cc2a0c33c8b09eb872c7b70a91

  • SHA256

    a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb

  • SHA512

    25004abb59bd61d8991d435d0428269f40b9afb21c9da1e658b83eb79c34f9e246fa2ef45573d05997839f37a15d470ff8e177e9bcc1166562310ced7199495a

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

q

C2

ratchomli.hopto.org:3632

Mutex

631447834c0607d77dbc354603149bca

Attributes
  • reg_key

    631447834c0607d77dbc354603149bca

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
    "C:\Users\Admin\AppData\Local\Temp\a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\Windows\SysWOW64\fondue.exe
          "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\system32\FonDUE.EXE
            "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
            5⤵
              PID:1808
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2c4 0x40c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4180

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
      Filesize

      2KB

      MD5

      340b294efc691d1b20c64175d565ebc7

      SHA1

      81cb9649bd1c9a62ae79e781818fc24d15c29ce7

      SHA256

      72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

      SHA512

      1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
      Filesize

      13KB

      MD5

      3e7ecaeb51c2812d13b07ec852d74aaf

      SHA1

      e9bdab93596ffb0f7f8c65243c579180939acb26

      SHA256

      e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

      SHA512

      635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      Filesize

      6.1MB

      MD5

      424bf196deaeb4ddcafb78e137fa560a

      SHA1

      007738e9486c904a3115daa6e8ba2ee692af58c8

      SHA256

      0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

      SHA512

      a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      Filesize

      6.1MB

      MD5

      424bf196deaeb4ddcafb78e137fa560a

      SHA1

      007738e9486c904a3115daa6e8ba2ee692af58c8

      SHA256

      0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

      SHA512

      a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
      Filesize

      103KB

      MD5

      ec19695b37f684b23026fe14877480b7

      SHA1

      a1d47b2549d6b4dd0b0916f9e5d3a59fd1e840c0

      SHA256

      c17ff2eb8d083b4301023a4b9daf3277a60572a2b704de21203e2e66ea729f1c

      SHA512

      ec565ff65149c9c7d2143b329d3993ff73bb03302160d31472e178516528fb3e60c9165197c53dbbfa5e05d17266be4774f606397838b07718f05097b64573fe

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
      Filesize

      103KB

      MD5

      2d4c6ed25a730ff2bcafa5be70f5b125

      SHA1

      aa6bee72499f3b82cd119ad28347932e331cb713

      SHA256

      b4973c0f8c47b08dc82de8f13cdb920e1f535433c3d0e1f87a0f3bc47e9f30d1

      SHA512

      f4c6d25c827f13955cc86890bc791d2ec0f3ae29590c04954f7dd89556143bd6399b02aae0a4b5f225d4022920d568fd73329ee2087afbf081716b4abecb1d7f

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
      Filesize

      103KB

      MD5

      2d4c6ed25a730ff2bcafa5be70f5b125

      SHA1

      aa6bee72499f3b82cd119ad28347932e331cb713

      SHA256

      b4973c0f8c47b08dc82de8f13cdb920e1f535433c3d0e1f87a0f3bc47e9f30d1

      SHA512

      f4c6d25c827f13955cc86890bc791d2ec0f3ae29590c04954f7dd89556143bd6399b02aae0a4b5f225d4022920d568fd73329ee2087afbf081716b4abecb1d7f

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
      Filesize

      5B

      MD5

      68934a3e9455fa72420237eb05902327

      SHA1

      7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

      SHA256

      fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

      SHA512

      719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
      Filesize

      322KB

      MD5

      c3256800dce47c14acc83ccca4c3e2ac

      SHA1

      9d126818c66991dbc3813a65eddb88bbcf77f30a

      SHA256

      f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

      SHA512

      6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
      Filesize

      322KB

      MD5

      c3256800dce47c14acc83ccca4c3e2ac

      SHA1

      9d126818c66991dbc3813a65eddb88bbcf77f30a

      SHA256

      f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

      SHA512

      6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

    • memory/1412-142-0x0000000000000000-mapping.dmp
    • memory/1808-143-0x0000000000000000-mapping.dmp
    • memory/3148-139-0x0000000000000000-mapping.dmp
    • memory/3672-130-0x0000000000000000-mapping.dmp