Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 13:30
Static task
static1
Behavioral task
behavioral1
Sample
0x00070000000133e8-90.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0x00070000000133e8-90.exe
Resource
win10v2004-20220414-en
General
-
Target
0x00070000000133e8-90.exe
-
Size
25KB
-
MD5
13a393f4abc0575a0c3661a2058c6a92
-
SHA1
c35e88355d846094a9b9aeaef3822725cd65c898
-
SHA256
685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4
-
SHA512
f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6
Malware Config
Extracted
njrat
0.7d
HACKED... W2B
103.149.13.61:4545
f33599fc8954f4bf201159e017f34658
-
reg_key
f33599fc8954f4bf201159e017f34658
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1912 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f33599fc8954f4bf201159e017f34658.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f33599fc8954f4bf201159e017f34658.exe Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\f33599fc8954f4bf201159e017f34658 = "\"C:\\Windows\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f33599fc8954f4bf201159e017f34658 = "\"C:\\Windows\\Server.exe\" .." Server.exe -
Drops file in Windows directory 1 IoCs
Processes:
0x00070000000133e8-90.exedescription ioc process File created C:\Windows\Server.exe 0x00070000000133e8-90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
0x00070000000133e8-90.exeServer.exepid process 1856 0x00070000000133e8-90.exe 1912 Server.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe Token: 33 1912 Server.exe Token: SeIncBasePriorityPrivilege 1912 Server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x00070000000133e8-90.exeServer.exedescription pid process target process PID 1856 wrote to memory of 1912 1856 0x00070000000133e8-90.exe Server.exe PID 1856 wrote to memory of 1912 1856 0x00070000000133e8-90.exe Server.exe PID 1856 wrote to memory of 1912 1856 0x00070000000133e8-90.exe Server.exe PID 1912 wrote to memory of 1916 1912 Server.exe netsh.exe PID 1912 wrote to memory of 1916 1912 Server.exe netsh.exe PID 1912 wrote to memory of 1916 1912 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00070000000133e8-90.exe"C:\Users\Admin\AppData\Local\Temp\0x00070000000133e8-90.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\Server.exe"C:\Windows\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Windows\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Server.exeFilesize
25KB
MD513a393f4abc0575a0c3661a2058c6a92
SHA1c35e88355d846094a9b9aeaef3822725cd65c898
SHA256685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4
SHA512f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6
-
C:\Windows\Server.exeFilesize
25KB
MD513a393f4abc0575a0c3661a2058c6a92
SHA1c35e88355d846094a9b9aeaef3822725cd65c898
SHA256685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4
SHA512f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6
-
memory/1856-54-0x0000000000B40000-0x0000000000B4C000-memory.dmpFilesize
48KB
-
memory/1856-55-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmpFilesize
8KB
-
memory/1912-56-0x0000000000000000-mapping.dmp
-
memory/1912-59-0x0000000000A30000-0x0000000000A3C000-memory.dmpFilesize
48KB
-
memory/1912-63-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/1916-61-0x0000000000000000-mapping.dmp