Analysis
-
max time kernel
146s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 15:19
Static task
static1
Behavioral task
behavioral1
Sample
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Resource
win10v2004-20220414-en
General
-
Target
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
-
Size
396KB
-
MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
-
SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af
-
SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
-
SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
Malware Config
Extracted
njrat
v2.0
HacKed
104.243.35.208:4004
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 2 IoCs
Processes:
Payload.exePayload.exepid process 448 Payload.exe 4796 Payload.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe -
Drops startup file 2 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription pid process target process PID 4100 set thread context of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 448 set thread context of 4796 448 Payload.exe Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Payload.exedescription pid process Token: SeDebugPrivilege 4796 Payload.exe Token: 33 4796 Payload.exe Token: SeIncBasePriorityPrivilege 4796 Payload.exe Token: 33 4796 Payload.exe Token: SeIncBasePriorityPrivilege 4796 Payload.exe Token: 33 4796 Payload.exe Token: SeIncBasePriorityPrivilege 4796 Payload.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exedescription pid process target process PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 4100 wrote to memory of 3736 4100 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe PID 3736 wrote to memory of 448 3736 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 3736 wrote to memory of 448 3736 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 3736 wrote to memory of 448 3736 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe Payload.exe PID 3736 wrote to memory of 4128 3736 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 3736 wrote to memory of 4128 3736 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 3736 wrote to memory of 4128 3736 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe attrib.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe PID 448 wrote to memory of 4796 448 Payload.exe Payload.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5410ae6573a57f8905a61a761ba8a4bf7
SHA105f7ac4fbb3b28620c2d1e3bdf720dfc0dfc49c9
SHA256e42e80a74d27dc83abfba9279eec985235c2c38635fb581eff53920868bdb1fc
SHA5123051abccb8d94dfb95a16a8f935463a8a320a55d854f5482a124e64768d0dfee01e23cb7401a9f15063219a015101263cc738e8b72122f7256b2d1cfb9030438
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1KB
MD588186e2545bd518b1e115b85887ae39f
SHA11251bf62f316af94da94c16b37fc7fa03c3c212d
SHA256b80c05ac61f81322b55b0b4519042a0c5b160a076ead78b43d59d28386314c6d
SHA51211ab6eef239e777ed25fdd8b919e25faf24049aac23c3fd3cc1bb04de095d4204897eab3cc603144bbf23866a93ec407ee74827abf098ca819ce8f4e57121974
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
C:\Users\Admin\AppData\Roaming\Payload.exeFilesize
396KB
MD55b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA5121ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18
-
memory/448-139-0x0000000000000000-mapping.dmp
-
memory/3736-137-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3736-136-0x0000000000000000-mapping.dmp
-
memory/4100-135-0x0000000008850000-0x00000000088B6000-memory.dmpFilesize
408KB
-
memory/4100-130-0x0000000000510000-0x0000000000578000-memory.dmpFilesize
416KB
-
memory/4100-134-0x00000000086E0000-0x000000000877C000-memory.dmpFilesize
624KB
-
memory/4100-133-0x0000000004F30000-0x0000000004F3A000-memory.dmpFilesize
40KB
-
memory/4100-132-0x0000000004F80000-0x0000000005012000-memory.dmpFilesize
584KB
-
memory/4100-131-0x0000000005530000-0x0000000005AD4000-memory.dmpFilesize
5.6MB
-
memory/4128-142-0x0000000000000000-mapping.dmp
-
memory/4796-143-0x0000000000000000-mapping.dmp