Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:25
Static task
static1
Behavioral task
behavioral1
Sample
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
Resource
win7-20220414-en
General
-
Target
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
-
Size
3.3MB
-
MD5
4b5522eebcad10beac06216513281c63
-
SHA1
ec0fa68acfb0461a283df076b239191a69fed59a
-
SHA256
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c
-
SHA512
9f233a6dc82c59f8bb0e97a92325de7f3abc11bc4999db8a365b8fab86dc07e69fa67f1ab59fccda13c4b40786e3265e0d41da8b967f4f392a602dc6198fc51a
Malware Config
Extracted
njrat
0.7.3
Lime
0.tcp.ngrok.io:17495
Client.exe
-
reg_key
Client.exe
-
splitter
123456
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
-
Executes dropped EXE 2 IoCs
Processes:
DomerServerHack_2.0.exeNew Client.exepid process 4572 DomerServerHack_2.0.exe 4752 New Client.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
New Client.exedescription pid process Token: SeDebugPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe Token: 33 4752 New Client.exe Token: SeIncBasePriorityPrivilege 4752 New Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exedescription pid process target process PID 5104 wrote to memory of 4572 5104 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 5104 wrote to memory of 4572 5104 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 5104 wrote to memory of 4572 5104 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe DomerServerHack_2.0.exe PID 5104 wrote to memory of 4752 5104 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe PID 5104 wrote to memory of 4752 5104 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe PID 5104 wrote to memory of 4752 5104 b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe New Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe"C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe"C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exeFilesize
3.3MB
MD5f6a0747b7a3be4bf1d4c03f22f07581d
SHA12990bd60d1db46ebfcd2642d44611067d49c9085
SHA2564010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4
SHA512524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f
-
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exeFilesize
3.3MB
MD5f6a0747b7a3be4bf1d4c03f22f07581d
SHA12990bd60d1db46ebfcd2642d44611067d49c9085
SHA2564010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4
SHA512524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f
-
C:\Users\Admin\AppData\Local\Temp\New Client.exeFilesize
78KB
MD50198215c77cb31181a484b8aa1ee2c7f
SHA1a5bbb8d8f740f83774dc3d74410ec0d39b31eea3
SHA2565a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899
SHA512488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233
-
C:\Users\Admin\AppData\Local\Temp\New Client.exeFilesize
78KB
MD50198215c77cb31181a484b8aa1ee2c7f
SHA1a5bbb8d8f740f83774dc3d74410ec0d39b31eea3
SHA2565a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899
SHA512488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233
-
memory/4572-130-0x0000000000000000-mapping.dmp
-
memory/4572-137-0x0000000000E30000-0x000000000117C000-memory.dmpFilesize
3.3MB
-
memory/4572-138-0x0000000005F10000-0x00000000064B4000-memory.dmpFilesize
5.6MB
-
memory/4572-139-0x0000000005A00000-0x0000000005A92000-memory.dmpFilesize
584KB
-
memory/4572-140-0x00000000059F0000-0x00000000059FA000-memory.dmpFilesize
40KB
-
memory/4752-133-0x0000000000000000-mapping.dmp
-
memory/4752-136-0x0000000074DC0000-0x0000000075371000-memory.dmpFilesize
5.7MB