Analysis
-
max time kernel
145s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Resource
win10v2004-20220414-en
General
-
Target
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
-
Size
396KB
-
MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
-
SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af
-
SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
-
SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
Malware Config
Extracted
njrat
v2.0
HacKed
104.243.35.208:4004
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
Payload.exePayload.exepid process 4564 Payload.exe 4372 Payload.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe -
Drops startup file 2 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription pid process target process PID 3860 set thread context of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4564 set thread context of 4372 4564 Payload.exe Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 4372 Payload.exe Token: 33 4372 Payload.exe Token: SeIncBasePriorityPrivilege 4372 Payload.exe Token: 33 4372 Payload.exe Token: SeIncBasePriorityPrivilege 4372 Payload.exe Token: 33 4372 Payload.exe Token: SeIncBasePriorityPrivilege 4372 Payload.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription pid process target process PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3860 wrote to memory of 5108 3860 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 5108 wrote to memory of 4564 5108 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 5108 wrote to memory of 4564 5108 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 5108 wrote to memory of 4564 5108 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 5108 wrote to memory of 4688 5108 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 5108 wrote to memory of 4688 5108 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 5108 wrote to memory of 4688 5108 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe PID 4564 wrote to memory of 4372 4564 Payload.exe Payload.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD56e40fd9c5dcab36e3992e4b93d33eb41
SHA11f881c6d2bce7abd64792f33eb794d4cbb45db51
SHA256362357840c393e579fc3dfee8e7320dbc021b91a8569a154ed8215f766e770e8
SHA512ad07924bbed90081cc6cfd8e6cd1f9facbbc43a6103e61782a031fc8e6184041d55c27d30b87719710e05f947a6dccd6b359183c28a9d85b5151a15c80a6754e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD5fff48f321a30adc783ab67544d8112b0
SHA17beda576a0bad9c1305bbd1f56f135f1cf66231d
SHA256c603cde38152408c51911b322c482410392a4e79fd3cafb93d9f00867e3054cf
SHA5123d9e383c1ff193cd89fc8af55dc2e7df05d6b6948b238296995da4cefa6265d283070cd3721825baab16239e90b8422f9522569910c321d7ca64aec137c0e557
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
memory/3860-135-0x0000000008690000-0x00000000086F6000-memory.dmpFilesize
408KB
-
memory/3860-134-0x0000000008580000-0x000000000861C000-memory.dmpFilesize
624KB
-
memory/3860-130-0x0000000000350000-0x00000000003B8000-memory.dmpFilesize
416KB
-
memory/3860-133-0x0000000004D70000-0x0000000004D7A000-memory.dmpFilesize
40KB
-
memory/3860-132-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB
-
memory/3860-131-0x0000000005260000-0x0000000005804000-memory.dmpFilesize
5.6MB
-
memory/4372-143-0x0000000000000000-mapping.dmp
-
memory/4564-139-0x0000000000000000-mapping.dmp
-
memory/4688-142-0x0000000000000000-mapping.dmp
-
memory/5108-136-0x0000000000000000-mapping.dmp
-
memory/5108-137-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB