Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 22:46
Behavioral task
behavioral1
Sample
hello.exe
Resource
win7-20220414-en
General
-
Target
hello.exe
-
Size
37KB
-
MD5
f6578c4f484063121bb63109b543fb95
-
SHA1
baae4772f958a85f2420a7c112f3b0ee02f962ce
-
SHA256
c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
-
SHA512
882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c
Malware Config
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 4 IoCs
Processes:
tmpEC5.tmp.exetmp2F2F.tmp.exedllhost.execrazyinvers.exepid process 4804 tmpEC5.tmp.exe 1456 tmp2F2F.tmp.exe 1988 dllhost.exe 4340 crazyinvers.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1612 netsh.exe 3992 netsh.exe 3632 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hello.exetmp2F2F.tmp.exetmpEC5.tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation hello.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tmp2F2F.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tmpEC5.tmp.exe -
Drops startup file 4 IoCs
Processes:
hello.exedllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe hello.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe hello.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
hello.exetmpEC5.tmp.exedllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .." hello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .." hello.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEC5.tmp.exe\" .." tmpEC5.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEC5.tmp.exe\" .." tmpEC5.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
dllhost.exedescription ioc process File created D:\autorun.inf dllhost.exe File created C:\autorun.inf dllhost.exe File opened for modification C:\autorun.inf dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
tmpEC5.tmp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings tmpEC5.tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllhost.exepid process 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe 1988 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 1988 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
hello.exetmpEC5.tmp.exedllhost.exedescription pid process Token: SeDebugPrivilege 3768 hello.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: SeDebugPrivilege 4804 tmpEC5.tmp.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: SeDebugPrivilege 1988 dllhost.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe Token: SeIncBasePriorityPrivilege 1988 dllhost.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe Token: SeIncBasePriorityPrivilege 1988 dllhost.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe Token: SeIncBasePriorityPrivilege 1988 dllhost.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe Token: SeIncBasePriorityPrivilege 1988 dllhost.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe Token: SeIncBasePriorityPrivilege 1988 dllhost.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe Token: SeIncBasePriorityPrivilege 1988 dllhost.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 3768 hello.exe Token: SeIncBasePriorityPrivilege 3768 hello.exe Token: 33 4804 tmpEC5.tmp.exe Token: SeIncBasePriorityPrivilege 4804 tmpEC5.tmp.exe Token: 33 1988 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
mshta.exepid process 1860 mshta.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
hello.exetmpEC5.tmp.exetmp2F2F.tmp.exedllhost.exedescription pid process target process PID 3768 wrote to memory of 1612 3768 hello.exe netsh.exe PID 3768 wrote to memory of 1612 3768 hello.exe netsh.exe PID 3768 wrote to memory of 1612 3768 hello.exe netsh.exe PID 3768 wrote to memory of 4804 3768 hello.exe tmpEC5.tmp.exe PID 3768 wrote to memory of 4804 3768 hello.exe tmpEC5.tmp.exe PID 3768 wrote to memory of 4804 3768 hello.exe tmpEC5.tmp.exe PID 4804 wrote to memory of 3992 4804 tmpEC5.tmp.exe netsh.exe PID 4804 wrote to memory of 3992 4804 tmpEC5.tmp.exe netsh.exe PID 4804 wrote to memory of 3992 4804 tmpEC5.tmp.exe netsh.exe PID 3768 wrote to memory of 1456 3768 hello.exe tmp2F2F.tmp.exe PID 3768 wrote to memory of 1456 3768 hello.exe tmp2F2F.tmp.exe PID 3768 wrote to memory of 1456 3768 hello.exe tmp2F2F.tmp.exe PID 1456 wrote to memory of 1988 1456 tmp2F2F.tmp.exe dllhost.exe PID 1456 wrote to memory of 1988 1456 tmp2F2F.tmp.exe dllhost.exe PID 1456 wrote to memory of 1988 1456 tmp2F2F.tmp.exe dllhost.exe PID 1988 wrote to memory of 3632 1988 dllhost.exe netsh.exe PID 1988 wrote to memory of 3632 1988 dllhost.exe netsh.exe PID 1988 wrote to memory of 3632 1988 dllhost.exe netsh.exe PID 4804 wrote to memory of 4768 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 4768 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 4768 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 1860 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 1860 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 1860 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 4696 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 4696 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 4696 4804 tmpEC5.tmp.exe mshta.exe PID 4804 wrote to memory of 4340 4804 tmpEC5.tmp.exe crazyinvers.exe PID 4804 wrote to memory of 4340 4804 tmpEC5.tmp.exe crazyinvers.exe PID 4804 wrote to memory of 4340 4804 tmpEC5.tmp.exe crazyinvers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hello.exe"C:\Users\Admin\AppData\Local\Temp\hello.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hello.exe" "hello.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exe" "tmpEC5.tmp.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CompressConvert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CompressConvert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\CompressConvert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Users\Admin\Desktop\crazyinvers.exe"C:\Users\Admin\Desktop\crazyinvers.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmp2F2F.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
C:\Users\Admin\AppData\Local\Temp\tmpEC5.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\Desktop\crazyinvers.exeFilesize
2.3MB
MD5a44458813e819777013eb3e644d74362
SHA12dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA25647f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA5121a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215
-
memory/1456-138-0x0000000000000000-mapping.dmp
-
memory/1456-146-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/1456-141-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/1612-131-0x0000000000000000-mapping.dmp
-
memory/1860-151-0x0000000000000000-mapping.dmp
-
memory/1988-143-0x0000000000000000-mapping.dmp
-
memory/1988-147-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/1988-149-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/3632-148-0x0000000000000000-mapping.dmp
-
memory/3768-132-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/3768-130-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/3992-137-0x0000000000000000-mapping.dmp
-
memory/4340-153-0x0000000000000000-mapping.dmp
-
memory/4696-152-0x0000000000000000-mapping.dmp
-
memory/4768-150-0x0000000000000000-mapping.dmp
-
memory/4804-136-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/4804-142-0x0000000074690000-0x0000000074C41000-memory.dmpFilesize
5.7MB
-
memory/4804-133-0x0000000000000000-mapping.dmp