General
Target

9d46b723ec666db3e73ae900c474d660.exe

Filesize

290KB

Completed

21-05-2022 16:21

Task

behavioral2

Score
10/10
MD5

9d46b723ec666db3e73ae900c474d660

SHA1

a801d00b65f847806ea5c2496c62efae283b3a94

SHA256

80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

SHA256

4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

WormRATT

C2

178.33.93.88:1742

Attributes
reg_key
7869d44e9b90d6b1e669bf52c9e89c61
splitter
|'|'|
Signatures 14

Filter: none

Defense Evasion
Discovery
Lateral Movement
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Downloads MZ/PE file
  • Executes dropped EXE
    Server.exeinstall.exexuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeServer.exeinstall.exesvchost.exe

    Reported IOCs

    pidprocess
    3744Server.exe
    3064install.exe
    4720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
    3216Server.exe
    4536install.exe
    1836svchost.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks computer location settings
    9d46b723ec666db3e73ae900c474d660.exeinstall.exexuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeServer.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation9d46b723ec666db3e73ae900c474d660.exe
    Key value queried\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nationinstall.exe
    Key value queried\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\NationxuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
    Key value queried\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\NationServer.exe
  • Drops startup file
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7869d44e9b90d6b1e669bf52c9e89c61.exesvchost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7869d44e9b90d6b1e669bf52c9e89c61.exesvchost.exe
  • Adds Run key to start application
    install.exeinstall.exesvchost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrvs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wininit.exe"install.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrvs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wininit.exe"install.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7869d44e9b90d6b1e669bf52c9e89c61 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."svchost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7869d44e9b90d6b1e669bf52c9e89c61 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."svchost.exe
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    23243064WerFault.exeinstall.exe
  • Suspicious behavior: EnumeratesProcesses
    install.exe

    Reported IOCs

    pidprocess
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
    4536install.exe
  • Suspicious behavior: GetForegroundWindowSpam
    svchost.exe

    Reported IOCs

    pidprocess
    1836svchost.exe
  • Suspicious use of AdjustPrivilegeToken
    install.exeinstall.exesvchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3064install.exe
    Token: SeDebugPrivilege4536install.exe
    Token: SeDebugPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
    Token: 331836svchost.exe
    Token: SeIncBasePriorityPrivilege1836svchost.exe
  • Suspicious use of WriteProcessMemory
    9d46b723ec666db3e73ae900c474d660.exeinstall.exexuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeServer.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1860 wrote to memory of 374418609d46b723ec666db3e73ae900c474d660.exeServer.exe
    PID 1860 wrote to memory of 374418609d46b723ec666db3e73ae900c474d660.exeServer.exe
    PID 1860 wrote to memory of 374418609d46b723ec666db3e73ae900c474d660.exeServer.exe
    PID 1860 wrote to memory of 306418609d46b723ec666db3e73ae900c474d660.exeinstall.exe
    PID 1860 wrote to memory of 306418609d46b723ec666db3e73ae900c474d660.exeinstall.exe
    PID 1860 wrote to memory of 306418609d46b723ec666db3e73ae900c474d660.exeinstall.exe
    PID 3064 wrote to memory of 47203064install.exexuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
    PID 3064 wrote to memory of 47203064install.exexuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
    PID 3064 wrote to memory of 47203064install.exexuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
    PID 4720 wrote to memory of 32164720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeServer.exe
    PID 4720 wrote to memory of 32164720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeServer.exe
    PID 4720 wrote to memory of 32164720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeServer.exe
    PID 4720 wrote to memory of 45364720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeinstall.exe
    PID 4720 wrote to memory of 45364720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeinstall.exe
    PID 4720 wrote to memory of 45364720xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exeinstall.exe
    PID 3744 wrote to memory of 18363744Server.exesvchost.exe
    PID 3744 wrote to memory of 18363744Server.exesvchost.exe
    PID 3744 wrote to memory of 18363744Server.exesvchost.exe
    PID 1836 wrote to memory of 11841836svchost.exenetsh.exe
    PID 1836 wrote to memory of 11841836svchost.exenetsh.exe
    PID 1836 wrote to memory of 11841836svchost.exenetsh.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\9d46b723ec666db3e73ae900c474d660.exe
    "C:\Users\Admin\AppData\Local\Temp\9d46b723ec666db3e73ae900c474d660.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          PID:1184
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe
        "C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe"
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          "C:\Users\Admin\AppData\Local\Temp\Server.exe"
          Executes dropped EXE
          PID:3216
        • C:\Users\Admin\AppData\Local\Temp\install.exe
          "C:\Users\Admin\AppData\Local\Temp\install.exe"
          Executes dropped EXE
          Adds Run key to start application
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:4536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 2212
        Program crash
        PID:2324
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3064 -ip 3064
    PID:1040
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

                    MD5

                    da4fafeffe21b7cb3a8c170ca7911976

                    SHA1

                    50ef77e2451ab60f93f4db88325b897d215be5ad

                    SHA256

                    7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

                    SHA512

                    0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

                  • C:\Users\Admin\AppData\Local\Temp\Server.exe

                    MD5

                    05d1abc69e538eb3c86bfeacc33c2a10

                    SHA1

                    f424222562968f86d5d043cce57b1a0389061150

                    SHA256

                    cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

                    SHA512

                    e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

                  • C:\Users\Admin\AppData\Local\Temp\Server.exe

                    MD5

                    05d1abc69e538eb3c86bfeacc33c2a10

                    SHA1

                    f424222562968f86d5d043cce57b1a0389061150

                    SHA256

                    cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

                    SHA512

                    e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

                  • C:\Users\Admin\AppData\Local\Temp\Server.exe

                    MD5

                    05d1abc69e538eb3c86bfeacc33c2a10

                    SHA1

                    f424222562968f86d5d043cce57b1a0389061150

                    SHA256

                    cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

                    SHA512

                    e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

                  • C:\Users\Admin\AppData\Local\Temp\install.exe

                    MD5

                    f0fd76de624b9ba3c126c58a5911f891

                    SHA1

                    0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

                    SHA256

                    a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

                    SHA512

                    8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

                  • C:\Users\Admin\AppData\Local\Temp\install.exe

                    MD5

                    f0fd76de624b9ba3c126c58a5911f891

                    SHA1

                    0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

                    SHA256

                    a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

                    SHA512

                    8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

                  • C:\Users\Admin\AppData\Local\Temp\install.exe

                    MD5

                    f0fd76de624b9ba3c126c58a5911f891

                    SHA1

                    0461b5f1ca0aea15b7ce10b6cd85838d8b467a6a

                    SHA256

                    a76025cb6fa555f77738a9887f6fcd5d3610678170a61bfbe611ee56537f986b

                    SHA512

                    8b1b6b0a77778bc5dac1125930cfeadc21735ff3a92134e5bbc2f47196f80ab2a9777ad072925f785e76e8f4680ceb650254bbb5cd4e10d414982c2f22174b5b

                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                    MD5

                    05d1abc69e538eb3c86bfeacc33c2a10

                    SHA1

                    f424222562968f86d5d043cce57b1a0389061150

                    SHA256

                    cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

                    SHA512

                    e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                    MD5

                    05d1abc69e538eb3c86bfeacc33c2a10

                    SHA1

                    f424222562968f86d5d043cce57b1a0389061150

                    SHA256

                    cf37aa59e0d281f372b3801bcd62dba2dbf280d6f9edb48dc9c1565897d81918

                    SHA512

                    e8aa15db240a82a24e8143df79fec3356e60942df6c26ca4ea995108d9e165292679dc94ea4ff55a7831ac0a47a938c45594733e48052aabf865284229751526

                  • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe

                    MD5

                    9d46b723ec666db3e73ae900c474d660

                    SHA1

                    a801d00b65f847806ea5c2496c62efae283b3a94

                    SHA256

                    80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

                    SHA512

                    4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

                  • C:\Users\Admin\AppData\Local\Temp\xuSnMEBMdrNBKicGIoJOWMrBBzEbipUggwzDuTib.exe

                    MD5

                    9d46b723ec666db3e73ae900c474d660

                    SHA1

                    a801d00b65f847806ea5c2496c62efae283b3a94

                    SHA256

                    80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

                    SHA512

                    4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

                  • memory/1184-156-0x0000000000000000-mapping.dmp

                  • memory/1836-154-0x0000000072A50000-0x0000000073001000-memory.dmp

                  • memory/1836-151-0x0000000000000000-mapping.dmp

                  • memory/3064-138-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

                  • memory/3064-137-0x00000000053A0000-0x0000000005944000-memory.dmp

                  • memory/3064-136-0x0000000000400000-0x000000000040C000-memory.dmp

                  • memory/3064-132-0x0000000000000000-mapping.dmp

                  • memory/3064-139-0x0000000004F30000-0x0000000004FC2000-memory.dmp

                  • memory/3064-143-0x0000000006430000-0x0000000006496000-memory.dmp

                  • memory/3216-150-0x0000000072A50000-0x0000000073001000-memory.dmp

                  • memory/3216-145-0x0000000000000000-mapping.dmp

                  • memory/3744-140-0x0000000072A50000-0x0000000073001000-memory.dmp

                  • memory/3744-130-0x0000000000000000-mapping.dmp

                  • memory/4536-149-0x0000000005020000-0x000000000502A000-memory.dmp

                  • memory/4536-147-0x0000000000000000-mapping.dmp

                  • memory/4720-141-0x0000000000000000-mapping.dmp