Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Resource
win10v2004-20220414-en
General
-
Target
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
-
Size
396KB
-
MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
-
SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af
-
SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
-
SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
Malware Config
Extracted
njrat
v2.0
HacKed
104.243.35.208:4004
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
Payload.exePayload.exepid process 1560 Payload.exe 1372 Payload.exe -
Drops startup file 2 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Loads dropped DLL 1 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exepid process 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription pid process target process PID 868 set thread context of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 1560 set thread context of 1372 1560 Payload.exe Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 1372 Payload.exe Token: 33 1372 Payload.exe Token: SeIncBasePriorityPrivilege 1372 Payload.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription pid process target process PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 868 wrote to memory of 956 868 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 956 wrote to memory of 1560 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 956 wrote to memory of 1560 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 956 wrote to memory of 1560 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 956 wrote to memory of 1560 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 956 wrote to memory of 1708 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 956 wrote to memory of 1708 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 956 wrote to memory of 1708 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 956 wrote to memory of 1708 956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe PID 1560 wrote to memory of 1372 1560 Payload.exe Payload.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD555d448ccd249a3192ba1c5b8639a60d4
SHA17161b3bf3e8dd3fa8eee9d20ecaef52765527574
SHA25621a49777f17cb7ccc9b66dee08de46822d122f5b6e9fe1c37484b3b0b2959357
SHA512712d0cc57bb5ae3af3b7b85a94beb6c5e89c39df293b9b7a6c5b3123f834724806a31b5c4ab3c70ad0bb276247aaead491af3fcf5b51fa6e795fa3587ea57b33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1018B
MD5398c1a0398faf422bcb039f638ab4758
SHA118e57f6c4644b8089cdac84cae7d88c18c572a11
SHA256c9979bf6a52fdd7bb18c680f730037bdbe59ab2db0a9d2f588e2aecf748854f4
SHA51298c9438c75f6e48a22beafb595241e65930a9555cebf50be79389a77c197e303e9a6c1ed6b48b579555fc9826c6b689a0b340bf967e333af7976650e9ff5e4af
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
memory/868-54-0x0000000000D90000-0x0000000000DF8000-memory.dmpFilesize
416KB
-
memory/868-55-0x0000000075D21000-0x0000000075D23000-memory.dmpFilesize
8KB
-
memory/868-56-0x0000000000260000-0x000000000026E000-memory.dmpFilesize
56KB
-
memory/868-57-0x0000000000A90000-0x0000000000AE2000-memory.dmpFilesize
328KB
-
memory/868-58-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/868-59-0x0000000000600000-0x000000000060E000-memory.dmpFilesize
56KB
-
memory/956-68-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/956-70-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/956-66-0x000000000040837E-mapping.dmp
-
memory/956-65-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/956-64-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/956-63-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/956-61-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/956-60-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1372-85-0x000000000040837E-mapping.dmp
-
memory/1560-73-0x0000000000000000-mapping.dmp
-
memory/1560-77-0x0000000000D70000-0x0000000000DD8000-memory.dmpFilesize
416KB
-
memory/1708-76-0x0000000000000000-mapping.dmp