Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 05:15
Behavioral task
behavioral1
Sample
ratka.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ratka.exe
Resource
win10v2004-20220414-en
General
-
Target
ratka.exe
-
Size
43KB
-
MD5
e01e74c608fddd8dd1581cc12ba596b8
-
SHA1
ab7b8cc4726dae0db4619af8db0923872ae86981
-
SHA256
3605f24cb3b60751d304359176d41c224c150caa7a5f670d373b9a84479ce067
-
SHA512
013d1d8fc44b80e92e7c2d3fa1dc6ed6a38d04e0cead3d0990eb5cb6c614a45185f67e7ad3b7bb5a0f59216f61a29ff6587b55b6aaf1cb2ae811409fcc882edd
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
7.tcp.eu.ngrok.io:18065
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Bluetooth.exepid process 1636 Bluetooth.exe -
Drops startup file 2 IoCs
Processes:
Bluetooth.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Bluetooth.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Bluetooth.exe -
Loads dropped DLL 1 IoCs
Processes:
ratka.exepid process 1036 ratka.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Bluetooth.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bluetooth.exe\" .." Bluetooth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bluetooth.exe\" .." Bluetooth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Bluetooth.exepid process 1636 Bluetooth.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Bluetooth.exedescription pid process Token: SeDebugPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe Token: 33 1636 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1636 Bluetooth.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ratka.exedescription pid process target process PID 1036 wrote to memory of 1636 1036 ratka.exe Bluetooth.exe PID 1036 wrote to memory of 1636 1036 ratka.exe Bluetooth.exe PID 1036 wrote to memory of 1636 1036 ratka.exe Bluetooth.exe PID 1036 wrote to memory of 1636 1036 ratka.exe Bluetooth.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ratka.exe"C:\Users\Admin\AppData\Local\Temp\ratka.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exe"C:\Users\Admin\AppData\Roaming\Bluetooth.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
43KB
MD5e01e74c608fddd8dd1581cc12ba596b8
SHA1ab7b8cc4726dae0db4619af8db0923872ae86981
SHA2563605f24cb3b60751d304359176d41c224c150caa7a5f670d373b9a84479ce067
SHA512013d1d8fc44b80e92e7c2d3fa1dc6ed6a38d04e0cead3d0990eb5cb6c614a45185f67e7ad3b7bb5a0f59216f61a29ff6587b55b6aaf1cb2ae811409fcc882edd
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
43KB
MD5e01e74c608fddd8dd1581cc12ba596b8
SHA1ab7b8cc4726dae0db4619af8db0923872ae86981
SHA2563605f24cb3b60751d304359176d41c224c150caa7a5f670d373b9a84479ce067
SHA512013d1d8fc44b80e92e7c2d3fa1dc6ed6a38d04e0cead3d0990eb5cb6c614a45185f67e7ad3b7bb5a0f59216f61a29ff6587b55b6aaf1cb2ae811409fcc882edd
-
\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
43KB
MD5e01e74c608fddd8dd1581cc12ba596b8
SHA1ab7b8cc4726dae0db4619af8db0923872ae86981
SHA2563605f24cb3b60751d304359176d41c224c150caa7a5f670d373b9a84479ce067
SHA512013d1d8fc44b80e92e7c2d3fa1dc6ed6a38d04e0cead3d0990eb5cb6c614a45185f67e7ad3b7bb5a0f59216f61a29ff6587b55b6aaf1cb2ae811409fcc882edd
-
memory/1036-54-0x00000000010E0000-0x00000000010F2000-memory.dmpFilesize
72KB
-
memory/1036-55-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1636-57-0x0000000000000000-mapping.dmp
-
memory/1636-60-0x0000000001060000-0x0000000001072000-memory.dmpFilesize
72KB