Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 05:15
Behavioral task
behavioral1
Sample
sibmne.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sibmne.exe
Resource
win10v2004-20220414-en
General
-
Target
sibmne.exe
-
Size
31KB
-
MD5
b92b3115473d465d03d54ed3a2a7defa
-
SHA1
6e11bb60d8c01aa6032e927acdcec335b2181007
-
SHA256
d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
-
SHA512
be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
Malware Config
Extracted
njrat
0.7d
MyBot32
4.tcp.eu.ngrok.io:4542
60ba8fa2947818e6663b2c1251a2ccd2
-
reg_key
60ba8fa2947818e6663b2c1251a2ccd2
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bluetooth.exepid process 1216 Bluetooth.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Bluetooth.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60ba8fa2947818e6663b2c1251a2ccd2.exe Bluetooth.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60ba8fa2947818e6663b2c1251a2ccd2.exe Bluetooth.exe -
Loads dropped DLL 1 IoCs
Processes:
sibmne.exepid process 852 sibmne.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Bluetooth.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\60ba8fa2947818e6663b2c1251a2ccd2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bluetooth.exe\" .." Bluetooth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\60ba8fa2947818e6663b2c1251a2ccd2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bluetooth.exe\" .." Bluetooth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Bluetooth.exedescription pid process Token: SeDebugPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe Token: 33 1216 Bluetooth.exe Token: SeIncBasePriorityPrivilege 1216 Bluetooth.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
sibmne.exeBluetooth.exedescription pid process target process PID 852 wrote to memory of 1216 852 sibmne.exe Bluetooth.exe PID 852 wrote to memory of 1216 852 sibmne.exe Bluetooth.exe PID 852 wrote to memory of 1216 852 sibmne.exe Bluetooth.exe PID 852 wrote to memory of 1216 852 sibmne.exe Bluetooth.exe PID 1216 wrote to memory of 1132 1216 Bluetooth.exe netsh.exe PID 1216 wrote to memory of 1132 1216 Bluetooth.exe netsh.exe PID 1216 wrote to memory of 1132 1216 Bluetooth.exe netsh.exe PID 1216 wrote to memory of 1132 1216 Bluetooth.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sibmne.exe"C:\Users\Admin\AppData\Local\Temp\sibmne.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exe"C:\Users\Admin\AppData\Roaming\Bluetooth.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Bluetooth.exe" "Bluetooth.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
31KB
MD5b92b3115473d465d03d54ed3a2a7defa
SHA16e11bb60d8c01aa6032e927acdcec335b2181007
SHA256d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
SHA512be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
31KB
MD5b92b3115473d465d03d54ed3a2a7defa
SHA16e11bb60d8c01aa6032e927acdcec335b2181007
SHA256d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
SHA512be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
-
\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
31KB
MD5b92b3115473d465d03d54ed3a2a7defa
SHA16e11bb60d8c01aa6032e927acdcec335b2181007
SHA256d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
SHA512be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
-
memory/852-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/852-55-0x0000000074A70000-0x000000007501B000-memory.dmpFilesize
5.7MB
-
memory/852-61-0x0000000074A70000-0x000000007501B000-memory.dmpFilesize
5.7MB
-
memory/1132-63-0x0000000000000000-mapping.dmp
-
memory/1216-57-0x0000000000000000-mapping.dmp
-
memory/1216-62-0x0000000074A70000-0x000000007501B000-memory.dmpFilesize
5.7MB
-
memory/1216-65-0x0000000074A70000-0x000000007501B000-memory.dmpFilesize
5.7MB