Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 20:49
Behavioral task
behavioral1
Sample
1b32ce4cb4efc534e6716d1d52d7673c.exe
Resource
win7-20220414-en
General
-
Target
1b32ce4cb4efc534e6716d1d52d7673c.exe
-
Size
52KB
-
MD5
1b32ce4cb4efc534e6716d1d52d7673c
-
SHA1
aaf37379f8a17661b197f0e2314ba7e29fcec069
-
SHA256
046f0fdb5d6d0489e8a81c239f311c2a26e2ca18f5b58c4f4655e7ab1862e026
-
SHA512
ccf0262da4e9242225ff943a3e145b65068589df863a89fa97581abeac04355e102187843f2d596b0f324ed795862000e9b6af841b194e7fd4ed72cfe164bf6b
Malware Config
Extracted
njrat
im523
Kirieshka
4.tcp.eu.ngrok.io:17963
7a59d0933f6f469cabe3a8b0b803e909
-
reg_key
7a59d0933f6f469cabe3a8b0b803e909
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
system32.exepid process 3720 system32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b32ce4cb4efc534e6716d1d52d7673c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1b32ce4cb4efc534e6716d1d52d7673c.exe -
Drops startup file 2 IoCs
Processes:
system32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a59d0933f6f469cabe3a8b0b803e909.exe system32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a59d0933f6f469cabe3a8b0b803e909.exe system32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a59d0933f6f469cabe3a8b0b803e909 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system32.exe\" .." system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7a59d0933f6f469cabe3a8b0b803e909 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system32.exe\" .." system32.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
system32.exedescription ioc process File opened for modification C:\autorun.inf system32.exe File created D:\autorun.inf system32.exe File created C:\autorun.inf system32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2240 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
system32.exepid process 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe 3720 system32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
system32.exepid process 3720 system32.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
system32.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3720 system32.exe Token: SeDebugPrivilege 2240 taskkill.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe Token: 33 3720 system32.exe Token: SeIncBasePriorityPrivilege 3720 system32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1b32ce4cb4efc534e6716d1d52d7673c.exesystem32.exedescription pid process target process PID 2408 wrote to memory of 3720 2408 1b32ce4cb4efc534e6716d1d52d7673c.exe system32.exe PID 2408 wrote to memory of 3720 2408 1b32ce4cb4efc534e6716d1d52d7673c.exe system32.exe PID 2408 wrote to memory of 3720 2408 1b32ce4cb4efc534e6716d1d52d7673c.exe system32.exe PID 3720 wrote to memory of 3540 3720 system32.exe netsh.exe PID 3720 wrote to memory of 3540 3720 system32.exe netsh.exe PID 3720 wrote to memory of 3540 3720 system32.exe netsh.exe PID 3720 wrote to memory of 2240 3720 system32.exe taskkill.exe PID 3720 wrote to memory of 2240 3720 system32.exe taskkill.exe PID 3720 wrote to memory of 2240 3720 system32.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b32ce4cb4efc534e6716d1d52d7673c.exe"C:\Users\Admin\AppData\Local\Temp\1b32ce4cb4efc534e6716d1d52d7673c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\system32.exe"C:\Users\Admin\AppData\Roaming\system32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system32.exe" "system32.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\system32.exeFilesize
52KB
MD51b32ce4cb4efc534e6716d1d52d7673c
SHA1aaf37379f8a17661b197f0e2314ba7e29fcec069
SHA256046f0fdb5d6d0489e8a81c239f311c2a26e2ca18f5b58c4f4655e7ab1862e026
SHA512ccf0262da4e9242225ff943a3e145b65068589df863a89fa97581abeac04355e102187843f2d596b0f324ed795862000e9b6af841b194e7fd4ed72cfe164bf6b
-
C:\Users\Admin\AppData\Roaming\system32.exeFilesize
52KB
MD51b32ce4cb4efc534e6716d1d52d7673c
SHA1aaf37379f8a17661b197f0e2314ba7e29fcec069
SHA256046f0fdb5d6d0489e8a81c239f311c2a26e2ca18f5b58c4f4655e7ab1862e026
SHA512ccf0262da4e9242225ff943a3e145b65068589df863a89fa97581abeac04355e102187843f2d596b0f324ed795862000e9b6af841b194e7fd4ed72cfe164bf6b
-
memory/2240-137-0x0000000000000000-mapping.dmp
-
memory/2408-130-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2408-134-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3540-136-0x0000000000000000-mapping.dmp
-
memory/3720-131-0x0000000000000000-mapping.dmp
-
memory/3720-135-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3720-138-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB