823d633ed0dd6822e1efa314ff214bd9128dd745e787426e1e4d9d781c7a57aa

General

Target

njSRC.exe
Size

72KB
MD5

97cb5e5d682b4dabae747fb83f2ab8fd
SHA1

865eccfc883ef3df747d8cfc93f0e2dd463ad4e3
SHA256

823d633ed0dd6822e1efa314ff214bd9128dd745e787426e1e4d9d781c7a57aa
SHA512

ebfcb0fae917c3e055988b6f21454561e17d4e2b5cbe7373a4480ee788117a33b7fdf76482bbef6e8342bdc2751b1459e9624b657dd69849c8d714b74deec9fc

Score

10^/10

evasion persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid process

1196 chrome.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1196	chrome.exe

Drops startup file 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\029beef927953d4fdcf3fbf356352119.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\029beef927953d4fdcf3fbf356352119.exe	chrome.exe

Loads dropped DLL 1 IoCs

Processes:

njSRC.exe

pid process

956 njSRC.exe

pid	process
956	njSRC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\029beef927953d4fdcf3fbf356352119 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\" .."	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\029beef927953d4fdcf3fbf356352119 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\" .."	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeDebugPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe
Token: 33	1196	chrome.exe
Token: SeIncBasePriorityPrivilege	1196	chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

njSRC.exechrome.exe

description	pid	process	target process
PID 956 wrote to memory of 1196	956	njSRC.exe	chrome.exe
PID 956 wrote to memory of 1196	956	njSRC.exe	chrome.exe
PID 956 wrote to memory of 1196	956	njSRC.exe	chrome.exe
PID 956 wrote to memory of 1196	956	njSRC.exe	chrome.exe
PID 1196 wrote to memory of 1664	1196	chrome.exe	netsh.exe
PID 1196 wrote to memory of 1664	1196	chrome.exe	netsh.exe
PID 1196 wrote to memory of 1664	1196	chrome.exe	netsh.exe
PID 1196 wrote to memory of 1664	1196	chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\njSRC.exe
"C:\Users\Admin\AppData\Local\Temp\njSRC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\chrome.exe" "chrome.exe" ENABLE
3⤵
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\chrome.exe
Filesize
72KB

MD5
97cb5e5d682b4dabae747fb83f2ab8fd

SHA1
865eccfc883ef3df747d8cfc93f0e2dd463ad4e3

SHA256
823d633ed0dd6822e1efa314ff214bd9128dd745e787426e1e4d9d781c7a57aa

SHA512
ebfcb0fae917c3e055988b6f21454561e17d4e2b5cbe7373a4480ee788117a33b7fdf76482bbef6e8342bdc2751b1459e9624b657dd69849c8d714b74deec9fc

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe
Filesize
72KB

MD5
97cb5e5d682b4dabae747fb83f2ab8fd

SHA1
865eccfc883ef3df747d8cfc93f0e2dd463ad4e3

SHA256
823d633ed0dd6822e1efa314ff214bd9128dd745e787426e1e4d9d781c7a57aa

SHA512
ebfcb0fae917c3e055988b6f21454561e17d4e2b5cbe7373a4480ee788117a33b7fdf76482bbef6e8342bdc2751b1459e9624b657dd69849c8d714b74deec9fc

Download Submit
\Users\Admin\AppData\Roaming\chrome.exe
Filesize
72KB

MD5
97cb5e5d682b4dabae747fb83f2ab8fd

SHA1
865eccfc883ef3df747d8cfc93f0e2dd463ad4e3

SHA256
823d633ed0dd6822e1efa314ff214bd9128dd745e787426e1e4d9d781c7a57aa

SHA512
ebfcb0fae917c3e055988b6f21454561e17d4e2b5cbe7373a4480ee788117a33b7fdf76482bbef6e8342bdc2751b1459e9624b657dd69849c8d714b74deec9fc

Download Submit
memory/956-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/956-55-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-57-0x0000000000000000-mapping.dmp

Download
memory/1196-61-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads