Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
Resource
win10v2004-20220414-en
General
-
Target
9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
-
Size
13.2MB
-
MD5
c00c09e7fa52bc19bd425d71e78ff4cb
-
SHA1
2cd1a7130a03d4056454733b62e4667a08451262
-
SHA256
9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b
-
SHA512
8d18238fe7c906ddd155b8af3a0d32604aeafaf352ab1947a07f273168740c5971083b157c7e21b74125a7e42d8684db5daba2cb3bc4971ca92f20949828a9d5
Malware Config
Extracted
njrat
v2.0
System
2.tcp.ngrok.io:13817
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
paylod.exeremcos.exeSystem.exepid process 828 paylod.exe 1724 remcos.exe 960 System.exe -
Drops startup file 2 IoCs
Processes:
paylod.exeSystem.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk paylod.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk System.exe -
Loads dropped DLL 5 IoCs
Processes:
9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exepaylod.exepid process 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe 828 paylod.exe 828 paylod.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
System.exepaylod.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\System.exe" paylod.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" System.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
remcos.exepid process 1724 remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
remcos.exepid process 1724 remcos.exe 1724 remcos.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe Token: 33 960 System.exe Token: SeIncBasePriorityPrivilege 960 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 1724 remcos.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exepaylod.exedescription pid process target process PID 1860 wrote to memory of 828 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe paylod.exe PID 1860 wrote to memory of 828 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe paylod.exe PID 1860 wrote to memory of 828 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe paylod.exe PID 1860 wrote to memory of 828 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe paylod.exe PID 1860 wrote to memory of 1724 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe remcos.exe PID 1860 wrote to memory of 1724 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe remcos.exe PID 1860 wrote to memory of 1724 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe remcos.exe PID 1860 wrote to memory of 1724 1860 9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe remcos.exe PID 828 wrote to memory of 960 828 paylod.exe System.exe PID 828 wrote to memory of 960 828 paylod.exe System.exe PID 828 wrote to memory of 960 828 paylod.exe System.exe PID 828 wrote to memory of 960 828 paylod.exe System.exe PID 828 wrote to memory of 1756 828 paylod.exe attrib.exe PID 828 wrote to memory of 1756 828 paylod.exe attrib.exe PID 828 wrote to memory of 1756 828 paylod.exe attrib.exe PID 828 wrote to memory of 1756 828 paylod.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe"C:\Users\Admin\AppData\Local\Temp\9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paylod.exe"C:\Users\Admin\AppData\Local\Temp\paylod.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\System.exe"C:\ProgramData\System.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\ProgramData\System.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\remcos.exe"C:\Users\Admin\AppData\Local\Temp\remcos.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\System.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
C:\ProgramData\System.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
C:\Users\Admin\AppData\Local\Temp\remcos.exeFilesize
9.9MB
MD5ed1e424ea6f625968a334377e8ac629f
SHA1ad00cc58a59a3d5b78d6603a1d09378e5dbd1647
SHA2561e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991
SHA5125119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094
-
C:\Users\Admin\AppData\Local\Temp\remcos.exeFilesize
9.9MB
MD5ed1e424ea6f625968a334377e8ac629f
SHA1ad00cc58a59a3d5b78d6603a1d09378e5dbd1647
SHA2561e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991
SHA5125119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD555d448ccd249a3192ba1c5b8639a60d4
SHA17161b3bf3e8dd3fa8eee9d20ecaef52765527574
SHA25621a49777f17cb7ccc9b66dee08de46822d122f5b6e9fe1c37484b3b0b2959357
SHA512712d0cc57bb5ae3af3b7b85a94beb6c5e89c39df293b9b7a6c5b3123f834724806a31b5c4ab3c70ad0bb276247aaead491af3fcf5b51fa6e795fa3587ea57b33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1018B
MD5398c1a0398faf422bcb039f638ab4758
SHA118e57f6c4644b8089cdac84cae7d88c18c572a11
SHA256c9979bf6a52fdd7bb18c680f730037bdbe59ab2db0a9d2f588e2aecf748854f4
SHA51298c9438c75f6e48a22beafb595241e65930a9555cebf50be79389a77c197e303e9a6c1ed6b48b579555fc9826c6b689a0b340bf967e333af7976650e9ff5e4af
-
\ProgramData\System.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
\ProgramData\System.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD524bf1ae1d62be5e1283fc4ddc9110dd9
SHA17b60b080982e77eb4565dce877236297280fcf36
SHA25655cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69
SHA512b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391
-
\Users\Admin\AppData\Local\Temp\remcos.exeFilesize
9.9MB
MD5ed1e424ea6f625968a334377e8ac629f
SHA1ad00cc58a59a3d5b78d6603a1d09378e5dbd1647
SHA2561e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991
SHA5125119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094
-
memory/828-58-0x0000000000000000-mapping.dmp
-
memory/828-80-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/828-65-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/960-83-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/960-75-0x0000000000000000-mapping.dmp
-
memory/960-85-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/1724-71-0x0000000000400000-0x0000000001ABE000-memory.dmpFilesize
22.7MB
-
memory/1724-72-0x0000000000400000-0x0000000001ABE000-memory.dmpFilesize
22.7MB
-
memory/1724-69-0x0000000000400000-0x0000000001ABE000-memory.dmpFilesize
22.7MB
-
memory/1724-63-0x0000000000000000-mapping.dmp
-
memory/1724-84-0x0000000000400000-0x0000000001ABE000-memory.dmpFilesize
22.7MB
-
memory/1756-79-0x0000000000000000-mapping.dmp
-
memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmpFilesize
8KB
-
memory/1860-67-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/1860-55-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB