Analysis

  • max time kernel
    186s
  • max time network
    203s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:12

General

  • Target

    fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe

  • Size

    31KB

  • MD5

    f2599c8241785a47e4a5e54628e15ee2

  • SHA1

    6126a67caf537bc201f5e8d56ca83d1d6f094e9a

  • SHA256

    fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168

  • SHA512

    e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

install

C2

2.132.107.223:6522

Mutex

bd5be1175c6ff120fdbcfd0476b2cd35

Attributes
  • reg_key

    bd5be1175c6ff120fdbcfd0476b2cd35

  • splitter

    Y262SUCZ4UJJ

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe
    "C:\Users\Admin\AppData\Local\Temp\fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Roaming\install.exe
      "C:\Users\Admin\AppData\Roaming\install.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\install.exe" "install.exe" ENABLE
        3⤵
          PID:1988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\install.exe
      Filesize

      31KB

      MD5

      f2599c8241785a47e4a5e54628e15ee2

      SHA1

      6126a67caf537bc201f5e8d56ca83d1d6f094e9a

      SHA256

      fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168

      SHA512

      e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a

    • C:\Users\Admin\AppData\Roaming\install.exe
      Filesize

      31KB

      MD5

      f2599c8241785a47e4a5e54628e15ee2

      SHA1

      6126a67caf537bc201f5e8d56ca83d1d6f094e9a

      SHA256

      fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168

      SHA512

      e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a

    • \Users\Admin\AppData\Roaming\install.exe
      Filesize

      31KB

      MD5

      f2599c8241785a47e4a5e54628e15ee2

      SHA1

      6126a67caf537bc201f5e8d56ca83d1d6f094e9a

      SHA256

      fa21401f20cba55b974d46788986e56e2e385da3cdd9260872567036a70ce168

      SHA512

      e9b84b27669d85de7e9410a02f726024efd24cdad1c8d5840c03f433a97c70b20d1bf4bb3888caea3e82461214f5fb756a7ba9fdb634658b795d11494c872e1a

    • memory/1152-57-0x0000000000000000-mapping.dmp
    • memory/1152-61-0x0000000074A80000-0x000000007502B000-memory.dmp
      Filesize

      5.7MB

    • memory/1260-54-0x0000000075F61000-0x0000000075F63000-memory.dmp
      Filesize

      8KB

    • memory/1260-55-0x0000000074A80000-0x000000007502B000-memory.dmp
      Filesize

      5.7MB

    • memory/1988-62-0x0000000000000000-mapping.dmp