Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:31
Behavioral task
behavioral1
Sample
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
Resource
win7-20220414-en
General
-
Target
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
-
Size
93KB
-
MD5
34307aa6518e2d8793bbcc79ecee7fc0
-
SHA1
019d4bd745bfc4d36f196ed6ed41d81e478c0d10
-
SHA256
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
-
SHA512
6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
Malware Config
Extracted
njrat
0.7d
HacKed
FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTM1Nzg=
73137daa68006467b187b2f414df684d
-
reg_key
73137daa68006467b187b2f414df684d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1168 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exeserver.exepid process 4480 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe 1168 server.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe Token: 33 1168 server.exe Token: SeIncBasePriorityPrivilege 1168 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exeserver.exedescription pid process target process PID 4480 wrote to memory of 1168 4480 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 4480 wrote to memory of 1168 4480 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 4480 wrote to memory of 1168 4480 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe server.exe PID 1168 wrote to memory of 2208 1168 server.exe netsh.exe PID 1168 wrote to memory of 2208 1168 server.exe netsh.exe PID 1168 wrote to memory of 2208 1168 server.exe netsh.exe PID 1168 wrote to memory of 3716 1168 server.exe netsh.exe PID 1168 wrote to memory of 3716 1168 server.exe netsh.exe PID 1168 wrote to memory of 3716 1168 server.exe netsh.exe PID 1168 wrote to memory of 3988 1168 server.exe netsh.exe PID 1168 wrote to memory of 3988 1168 server.exe netsh.exe PID 1168 wrote to memory of 3988 1168 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe"C:\Users\Admin\AppData\Local\Temp\53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD534307aa6518e2d8793bbcc79ecee7fc0
SHA1019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA25653865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA5126ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD534307aa6518e2d8793bbcc79ecee7fc0
SHA1019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA25653865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA5126ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD553ce6d1ae8885b5d12e654469f456c83
SHA19d8b30c523ddef4d24134072b27716bec7d94d6f
SHA256d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2
SHA512c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d
-
memory/1168-131-0x0000000000000000-mapping.dmp
-
memory/1168-135-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/2208-136-0x0000000000000000-mapping.dmp
-
memory/3716-137-0x0000000000000000-mapping.dmp
-
memory/3988-138-0x0000000000000000-mapping.dmp
-
memory/4480-130-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB