Analysis
-
max time kernel
149s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:29
Behavioral task
behavioral1
Sample
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
Resource
win7-20220414-en
General
-
Target
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
-
Size
93KB
-
MD5
74561ab8272480ac06696738092ce507
-
SHA1
5182c427adf49862dcb6d2444df487c9f1bb21da
-
SHA256
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
-
SHA512
07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTM1Nzg=
73137daa68006467b187b2f414df684d
-
reg_key
73137daa68006467b187b2f414df684d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1440 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe -
Loads dropped DLL 2 IoCs
Processes:
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exepid process 1840 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe 1840 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1440 server.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe Token: 33 1440 server.exe Token: SeIncBasePriorityPrivilege 1440 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exeserver.exedescription pid process target process PID 1840 wrote to memory of 1440 1840 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 1840 wrote to memory of 1440 1840 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 1840 wrote to memory of 1440 1840 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 1840 wrote to memory of 1440 1840 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 1440 wrote to memory of 1528 1440 server.exe netsh.exe PID 1440 wrote to memory of 1528 1440 server.exe netsh.exe PID 1440 wrote to memory of 1528 1440 server.exe netsh.exe PID 1440 wrote to memory of 1528 1440 server.exe netsh.exe PID 1440 wrote to memory of 336 1440 server.exe netsh.exe PID 1440 wrote to memory of 336 1440 server.exe netsh.exe PID 1440 wrote to memory of 336 1440 server.exe netsh.exe PID 1440 wrote to memory of 336 1440 server.exe netsh.exe PID 1440 wrote to memory of 1864 1440 server.exe netsh.exe PID 1440 wrote to memory of 1864 1440 server.exe netsh.exe PID 1440 wrote to memory of 1864 1440 server.exe netsh.exe PID 1440 wrote to memory of 1864 1440 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe"C:\Users\Admin\AppData\Local\Temp\bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD574561ab8272480ac06696738092ce507
SHA15182c427adf49862dcb6d2444df487c9f1bb21da
SHA256bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA51207a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD574561ab8272480ac06696738092ce507
SHA15182c427adf49862dcb6d2444df487c9f1bb21da
SHA256bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA51207a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5f478c76bbb3174dbc7fabae62224f818
SHA1bed239508bad9fcd15a9bdea1e132f62468d07d1
SHA256d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a
SHA512b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD574561ab8272480ac06696738092ce507
SHA15182c427adf49862dcb6d2444df487c9f1bb21da
SHA256bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA51207a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD574561ab8272480ac06696738092ce507
SHA15182c427adf49862dcb6d2444df487c9f1bb21da
SHA256bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA51207a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
-
memory/336-66-0x0000000000000000-mapping.dmp
-
memory/1440-58-0x0000000000000000-mapping.dmp
-
memory/1440-62-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/1528-64-0x0000000000000000-mapping.dmp
-
memory/1840-54-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB
-
memory/1840-55-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/1864-67-0x0000000000000000-mapping.dmp