Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 22:35
Behavioral task
behavioral1
Sample
0x0008000000012699-64.exe
Resource
win7-20220414-en
General
-
Target
0x0008000000012699-64.exe
-
Size
37KB
-
MD5
333baef68bf06e2bff8c785f9120559d
-
SHA1
b605cc35ec178240b1150a81d73e58d1d9417bac
-
SHA256
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
-
SHA512
0ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
Malware Config
Extracted
njrat
im523
HacKed
51.89.91.139:5050
5db0afc818875fbd9be3e842f2d3f24b
-
reg_key
5db0afc818875fbd9be3e842f2d3f24b
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
GoogleChromer.exepid process 4660 GoogleChromer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x0008000000012699-64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0x0008000000012699-64.exe -
Drops startup file 2 IoCs
Processes:
GoogleChromer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db0afc818875fbd9be3e842f2d3f24b.exe GoogleChromer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db0afc818875fbd9be3e842f2d3f24b.exe GoogleChromer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
GoogleChromer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5db0afc818875fbd9be3e842f2d3f24b = "\"C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromer.exe\" .." GoogleChromer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5db0afc818875fbd9be3e842f2d3f24b = "\"C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromer.exe\" .." GoogleChromer.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
GoogleChromer.exedescription ioc process File created C:\autorun.inf GoogleChromer.exe File opened for modification C:\autorun.inf GoogleChromer.exe File created D:\autorun.inf GoogleChromer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
GoogleChromer.exepid process 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe 4660 GoogleChromer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
GoogleChromer.exepid process 4660 GoogleChromer.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
GoogleChromer.exedescription pid process Token: SeDebugPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe Token: 33 4660 GoogleChromer.exe Token: SeIncBasePriorityPrivilege 4660 GoogleChromer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x0008000000012699-64.exeGoogleChromer.exedescription pid process target process PID 4376 wrote to memory of 4660 4376 0x0008000000012699-64.exe GoogleChromer.exe PID 4376 wrote to memory of 4660 4376 0x0008000000012699-64.exe GoogleChromer.exe PID 4376 wrote to memory of 4660 4376 0x0008000000012699-64.exe GoogleChromer.exe PID 4660 wrote to memory of 2708 4660 GoogleChromer.exe netsh.exe PID 4660 wrote to memory of 2708 4660 GoogleChromer.exe netsh.exe PID 4660 wrote to memory of 2708 4660 GoogleChromer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0008000000012699-64.exe"C:\Users\Admin\AppData\Local\Temp\0x0008000000012699-64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\GoogleChromer.exe"C:\Users\Admin\AppData\Roaming\GoogleChromer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleChromer.exe" "GoogleChromer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\GoogleChromer.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
C:\Users\Admin\AppData\Roaming\GoogleChromer.exeFilesize
37KB
MD5333baef68bf06e2bff8c785f9120559d
SHA1b605cc35ec178240b1150a81d73e58d1d9417bac
SHA2564d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
SHA5120ba29d931b3166c4d334cd45f02cc053efbe2f1db3dc844a43e8f9b12a6efea3d73d45d49ab048fdd7b21495b8bbe1929b560ead99890d88f02b99fda186c1cc
-
memory/2708-136-0x0000000000000000-mapping.dmp
-
memory/4376-130-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/4376-134-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/4660-131-0x0000000000000000-mapping.dmp
-
memory/4660-135-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/4660-137-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB