Analysis
-
max time kernel
178s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:29
Behavioral task
behavioral1
Sample
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
Resource
win7-20220414-en
General
-
Target
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
-
Size
93KB
-
MD5
74561ab8272480ac06696738092ce507
-
SHA1
5182c427adf49862dcb6d2444df487c9f1bb21da
-
SHA256
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
-
SHA512
07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTM1Nzg=
73137daa68006467b187b2f414df684d
-
reg_key
73137daa68006467b187b2f414df684d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4244 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exeserver.exepid process 3160 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe 4244 server.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exeserver.exedescription pid process target process PID 3160 wrote to memory of 4244 3160 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 3160 wrote to memory of 4244 3160 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 3160 wrote to memory of 4244 3160 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe server.exe PID 4244 wrote to memory of 3956 4244 server.exe netsh.exe PID 4244 wrote to memory of 3956 4244 server.exe netsh.exe PID 4244 wrote to memory of 3956 4244 server.exe netsh.exe PID 4244 wrote to memory of 2236 4244 server.exe netsh.exe PID 4244 wrote to memory of 2236 4244 server.exe netsh.exe PID 4244 wrote to memory of 2236 4244 server.exe netsh.exe PID 4244 wrote to memory of 332 4244 server.exe netsh.exe PID 4244 wrote to memory of 332 4244 server.exe netsh.exe PID 4244 wrote to memory of 332 4244 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe"C:\Users\Admin\AppData\Local\Temp\bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD574561ab8272480ac06696738092ce507
SHA15182c427adf49862dcb6d2444df487c9f1bb21da
SHA256bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA51207a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD574561ab8272480ac06696738092ce507
SHA15182c427adf49862dcb6d2444df487c9f1bb21da
SHA256bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA51207a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5f478c76bbb3174dbc7fabae62224f818
SHA1bed239508bad9fcd15a9bdea1e132f62468d07d1
SHA256d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a
SHA512b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b
-
memory/332-138-0x0000000000000000-mapping.dmp
-
memory/2236-137-0x0000000000000000-mapping.dmp
-
memory/3160-130-0x0000000074F50000-0x0000000075501000-memory.dmpFilesize
5.7MB
-
memory/3956-136-0x0000000000000000-mapping.dmp
-
memory/4244-131-0x0000000000000000-mapping.dmp
-
memory/4244-135-0x0000000074F50000-0x0000000075501000-memory.dmpFilesize
5.7MB