Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 22:26
General
-
Target
0648873dd8d00b2eca5eaa5680f7a5b6.exe
-
Size
4.9MB
-
MD5
0648873dd8d00b2eca5eaa5680f7a5b6
-
SHA1
fada8b49ca5b898c9e31bc87f2b37a267599d406
-
SHA256
0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f
-
SHA512
88fd72593cb94da497bf5ed7b9e4f35cfac74e9e5280d8d9f0708c6867518c4f0444ab0426ba8f94f86ffbcc3263b83cd6ce436d094bd82ec5e5bc8e4a5908d0
Malware Config
Extracted
njrat
im523
HacKed
51.89.91.139:5050
5db0afc818875fbd9be3e842f2d3f24b
-
reg_key
5db0afc818875fbd9be3e842f2d3f24b
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0648873dd8d00b2eca5eaa5680f7a5b6.exe"C:\Users\Admin\AppData\Local\Temp\0648873dd8d00b2eca5eaa5680f7a5b6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Failed! MSVPC1400.dll is missing!','Error','OK','Error')"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Failed! MSVPC1400.dll is missing!','Error','OK','Error')"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\driver.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\driver.exe"C:\Users\Admin\AppData\Local\Temp\driver.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\driver.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\GoogleChromer.exe"C:\Users\Admin\AppData\Roaming\GoogleChromer.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleChromer.exe" "GoogleChromer.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
C:\Users\Admin\AppData\Local\Temp\driver.exeFilesize
4.9MB
MD51528714ebf9ec93106e200719e94239f
SHA19321ca4531d1384bcb8f9d95b574148dbd8e8a4a
SHA256064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c
SHA512a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a
-
C:\Users\Admin\AppData\Roaming\GoogleChromer.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
C:\Users\Admin\AppData\Roaming\GoogleChromer.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD55327cf3c04488558a21ae7bdc8a0631f
SHA1f114a16b2be95026c45bdbd3ce01c1a82869b38e
SHA256b37992acf8c4ece385fd78970fe7071de094294004fc967449b202c96c0c69a8
SHA5122f2190ebafee776aa6f7b9ad7f72e71a0f7dbbf23580b5760898928ecd80dc824e0476f7b3b26d54207658e9aae5973b8810c7923d5e6ef948bc6a7445037690
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD55327cf3c04488558a21ae7bdc8a0631f
SHA1f114a16b2be95026c45bdbd3ce01c1a82869b38e
SHA256b37992acf8c4ece385fd78970fe7071de094294004fc967449b202c96c0c69a8
SHA5122f2190ebafee776aa6f7b9ad7f72e71a0f7dbbf23580b5760898928ecd80dc824e0476f7b3b26d54207658e9aae5973b8810c7923d5e6ef948bc6a7445037690
-
\??\c:\users\admin\appdata\local\temp\driver.exeFilesize
4.9MB
MD51528714ebf9ec93106e200719e94239f
SHA19321ca4531d1384bcb8f9d95b574148dbd8e8a4a
SHA256064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c
SHA512a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
\Users\Admin\AppData\Local\Temp\driver.exeFilesize
4.9MB
MD51528714ebf9ec93106e200719e94239f
SHA19321ca4531d1384bcb8f9d95b574148dbd8e8a4a
SHA256064331c558242898b53bbbfe2ef22bc0bb908ffa5a106fe3f45866acfccfae5c
SHA512a2d69bd0a3063efe3ba461b7ca1e48e20a2aed623aa8b1fb6e0692c0008649e5c7c8ad053f5d37512574de4dbdbed4bd675aa89267b67db69ee839450e66f71a
-
\Users\Admin\AppData\Roaming\GoogleChromer.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
memory/280-68-0x0000000000000000-mapping.dmp
-
memory/280-80-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/280-133-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/956-82-0x0000000000000000-mapping.dmp
-
memory/956-111-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/988-99-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/988-56-0x00000000758D1000-0x00000000758D3000-memory.dmpFilesize
8KB
-
memory/988-55-0x0000000000000000-mapping.dmp
-
memory/988-57-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/1068-141-0x0000000000000000-mapping.dmp
-
memory/1156-98-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-112-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-77-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-81-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-76-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-84-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-79-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-83-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-86-0x000000013F780000-0x00000001407A0000-memory.dmpFilesize
16.1MB
-
memory/1156-85-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-88-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmpFilesize
3.8MB
-
memory/1156-89-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-90-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-75-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-91-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-93-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-95-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-94-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-96-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-97-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-143-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmpFilesize
3.8MB
-
memory/1156-100-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-74-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-101-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-102-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-103-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-104-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-105-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-106-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-107-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-108-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-109-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-142-0x000000013F780000-0x00000001407A0000-memory.dmpFilesize
16.1MB
-
memory/1156-110-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-78-0x0000000077480000-0x0000000077490000-memory.dmpFilesize
64KB
-
memory/1156-113-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-114-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-116-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-115-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-117-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-118-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-119-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-120-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-121-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-122-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-123-0x0000000077580000-0x0000000077590000-memory.dmpFilesize
64KB
-
memory/1156-124-0x000000013F780000-0x000000013F782000-memory.dmpFilesize
8KB
-
memory/1156-125-0x000000013F780000-0x00000001407A0000-memory.dmpFilesize
16.1MB
-
memory/1156-126-0x00000000777B0000-0x00000000777C0000-memory.dmpFilesize
64KB
-
memory/1156-132-0x000000013F780000-0x00000001407A0000-memory.dmpFilesize
16.1MB
-
memory/1156-67-0x0000000000000000-mapping.dmp
-
memory/1492-137-0x0000000000000000-mapping.dmp
-
memory/1564-145-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/1564-128-0x0000000000000000-mapping.dmp
-
memory/1564-134-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/1672-138-0x0000000000000000-mapping.dmp
-
memory/1748-135-0x0000000000000000-mapping.dmp
-
memory/1856-59-0x0000000000000000-mapping.dmp
-
memory/1856-73-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/1884-54-0x0000000000000000-mapping.dmp
-
memory/1924-136-0x0000000000000000-mapping.dmp
-
memory/1952-61-0x0000000000000000-mapping.dmp
-
memory/1968-60-0x0000000000000000-mapping.dmp
-
memory/1980-139-0x0000000000000000-mapping.dmp
-
memory/1996-140-0x0000000000000000-mapping.dmp
-
memory/2000-58-0x0000000000000000-mapping.dmp