Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
0x000a00000001310c-58.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0x000a00000001310c-58.exe
Resource
win10v2004-20220414-en
General
-
Target
0x000a00000001310c-58.exe
-
Size
25KB
-
MD5
7398714aa7e951484c0230bd1919a4d7
-
SHA1
ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac
-
SHA256
d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2
-
SHA512
391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf
Malware Config
Extracted
njrat
0.7d
HACKED JFK
103.149.13.61:4545
782e4e93b9158d4d448232ed139fc0db
-
reg_key
782e4e93b9158d4d448232ed139fc0db
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
0x000a00000001310c-58.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\782e4e93b9158d4d448232ed139fc0db.exe 0x000a00000001310c-58.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\782e4e93b9158d4d448232ed139fc0db.exe 0x000a00000001310c-58.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0x000a00000001310c-58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782e4e93b9158d4d448232ed139fc0db = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0x000a00000001310c-58.exe\" .." 0x000a00000001310c-58.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782e4e93b9158d4d448232ed139fc0db = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0x000a00000001310c-58.exe\" .." 0x000a00000001310c-58.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
0x000a00000001310c-58.exepid process 4948 0x000a00000001310c-58.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
0x000a00000001310c-58.exedescription pid process Token: SeDebugPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe Token: 33 4948 0x000a00000001310c-58.exe Token: SeIncBasePriorityPrivilege 4948 0x000a00000001310c-58.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
0x000a00000001310c-58.exedescription pid process target process PID 4948 wrote to memory of 3460 4948 0x000a00000001310c-58.exe netsh.exe PID 4948 wrote to memory of 3460 4948 0x000a00000001310c-58.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a00000001310c-58.exe"C:\Users\Admin\AppData\Local\Temp\0x000a00000001310c-58.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0x000a00000001310c-58.exe" "0x000a00000001310c-58.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3460-132-0x0000000000000000-mapping.dmp
-
memory/4948-130-0x0000000000990000-0x000000000099C000-memory.dmpFilesize
48KB
-
memory/4948-131-0x00007FFB5C080000-0x00007FFB5CB41000-memory.dmpFilesize
10.8MB
-
memory/4948-133-0x00007FFB5C080000-0x00007FFB5CB41000-memory.dmpFilesize
10.8MB