Analysis
-
max time kernel
172s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 17:57
General
-
Target
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe
-
Size
37KB
-
MD5
743023f77b99de007c69bf2a5f6691d7
-
SHA1
d5f800818615f581f207a65c04ad76510724da72
-
SHA256
2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
-
SHA512
c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
Malware Config
Extracted
njrat
im523
svhost.exe
91.219.28.11:5552
4c358cdc78434d13514be8b97373756a
-
reg_key
4c358cdc78434d13514be8b97373756a
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe"C:\Users\Admin\AppData\Local\Temp\2fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
\Users\Admin\AppData\Roaming\svhost.exeFilesize
37KB
MD5743023f77b99de007c69bf2a5f6691d7
SHA1d5f800818615f581f207a65c04ad76510724da72
SHA2562fbdf528e956b229735da90f9d8b99e591a20c69abadbe0f9c9a2bc936f5c443
SHA512c5ef8e5bc0e6c8df7e477679b82427ba996fe5d537a9818239ea7505cb7fac98f4803bd7be44e453af37a13f5b333c51288574dfff9d4e73930d6c18a49390e5
-
memory/976-57-0x0000000000000000-mapping.dmp
-
memory/976-62-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/976-65-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/1728-63-0x0000000000000000-mapping.dmp
-
memory/1996-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/1996-61-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB