Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 21:25
Static task
static1
Behavioral task
behavioral1
Sample
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
Resource
win7-20220414-en
General
-
Target
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
-
Size
3.3MB
-
MD5
4b5522eebcad10beac06216513281c63
-
SHA1
ec0fa68acfb0461a283df076b239191a69fed59a
-
SHA256
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c
-
SHA512
9f233a6dc82c59f8bb0e97a92325de7f3abc11bc4999db8a365b8fab86dc07e69fa67f1ab59fccda13c4b40786e3265e0d41da8b967f4f392a602dc6198fc51a
Malware Config
Extracted
njrat
0.7.3
Lime
0.tcp.ngrok.io:17495
Client.exe
-
reg_key
Client.exe
-
splitter
123456
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
-
Executes dropped EXE 2 IoCs
Processes:
DomerServerHack_2.0.exeNew Client.exepid process 1768 DomerServerHack_2.0.exe 1592 New Client.exe -
Loads dropped DLL 2 IoCs
Processes:
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exepid process 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
New Client.exedescription pid process Token: SeDebugPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe Token: 33 1592 New Client.exe Token: SeIncBasePriorityPrivilege 1592 New Client.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exedescription pid process target process PID 1368 wrote to memory of 1768 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 1368 wrote to memory of 1768 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 1368 wrote to memory of 1768 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 1368 wrote to memory of 1768 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 1368 wrote to memory of 1592 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe PID 1368 wrote to memory of 1592 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe PID 1368 wrote to memory of 1592 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe PID 1368 wrote to memory of 1592 1368 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe"C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe"C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exeFilesize
3.3MB
MD5f6a0747b7a3be4bf1d4c03f22f07581d
SHA12990bd60d1db46ebfcd2642d44611067d49c9085
SHA2564010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4
SHA512524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f
-
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exeFilesize
3.3MB
MD5f6a0747b7a3be4bf1d4c03f22f07581d
SHA12990bd60d1db46ebfcd2642d44611067d49c9085
SHA2564010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4
SHA512524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f
-
C:\Users\Admin\AppData\Local\Temp\New Client.exeFilesize
78KB
MD50198215c77cb31181a484b8aa1ee2c7f
SHA1a5bbb8d8f740f83774dc3d74410ec0d39b31eea3
SHA2565a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899
SHA512488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233
-
C:\Users\Admin\AppData\Local\Temp\New Client.exeFilesize
78KB
MD50198215c77cb31181a484b8aa1ee2c7f
SHA1a5bbb8d8f740f83774dc3d74410ec0d39b31eea3
SHA2565a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899
SHA512488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233
-
\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exeFilesize
3.3MB
MD5f6a0747b7a3be4bf1d4c03f22f07581d
SHA12990bd60d1db46ebfcd2642d44611067d49c9085
SHA2564010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4
SHA512524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f
-
\Users\Admin\AppData\Local\Temp\New Client.exeFilesize
78KB
MD50198215c77cb31181a484b8aa1ee2c7f
SHA1a5bbb8d8f740f83774dc3d74410ec0d39b31eea3
SHA2565a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899
SHA512488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233
-
memory/1368-54-0x0000000076171000-0x0000000076173000-memory.dmpFilesize
8KB
-
memory/1592-60-0x0000000000000000-mapping.dmp
-
memory/1592-66-0x0000000073D50000-0x00000000742FB000-memory.dmpFilesize
5.7MB
-
memory/1768-56-0x0000000000000000-mapping.dmp
-
memory/1768-64-0x0000000000290000-0x00000000005DC000-memory.dmpFilesize
3.3MB
-
memory/1768-67-0x00000000022A5000-0x00000000022B6000-memory.dmpFilesize
68KB