Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 05:15
Behavioral task
behavioral1
Sample
sibmne.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sibmne.exe
Resource
win10v2004-20220414-en
General
-
Target
sibmne.exe
-
Size
31KB
-
MD5
b92b3115473d465d03d54ed3a2a7defa
-
SHA1
6e11bb60d8c01aa6032e927acdcec335b2181007
-
SHA256
d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
-
SHA512
be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
Malware Config
Extracted
njrat
0.7d
MyBot32
4.tcp.eu.ngrok.io:4542
60ba8fa2947818e6663b2c1251a2ccd2
-
reg_key
60ba8fa2947818e6663b2c1251a2ccd2
-
splitter
Y262SUCZ4UJJ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bluetooth.exepid process 4300 Bluetooth.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sibmne.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation sibmne.exe -
Drops startup file 2 IoCs
Processes:
Bluetooth.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60ba8fa2947818e6663b2c1251a2ccd2.exe Bluetooth.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60ba8fa2947818e6663b2c1251a2ccd2.exe Bluetooth.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Bluetooth.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60ba8fa2947818e6663b2c1251a2ccd2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bluetooth.exe\" .." Bluetooth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\60ba8fa2947818e6663b2c1251a2ccd2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bluetooth.exe\" .." Bluetooth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Bluetooth.exedescription pid process Token: SeDebugPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe Token: 33 4300 Bluetooth.exe Token: SeIncBasePriorityPrivilege 4300 Bluetooth.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
sibmne.exeBluetooth.exedescription pid process target process PID 2832 wrote to memory of 4300 2832 sibmne.exe Bluetooth.exe PID 2832 wrote to memory of 4300 2832 sibmne.exe Bluetooth.exe PID 2832 wrote to memory of 4300 2832 sibmne.exe Bluetooth.exe PID 4300 wrote to memory of 4168 4300 Bluetooth.exe netsh.exe PID 4300 wrote to memory of 4168 4300 Bluetooth.exe netsh.exe PID 4300 wrote to memory of 4168 4300 Bluetooth.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sibmne.exe"C:\Users\Admin\AppData\Local\Temp\sibmne.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exe"C:\Users\Admin\AppData\Roaming\Bluetooth.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Bluetooth.exe" "Bluetooth.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
31KB
MD5b92b3115473d465d03d54ed3a2a7defa
SHA16e11bb60d8c01aa6032e927acdcec335b2181007
SHA256d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
SHA512be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
-
C:\Users\Admin\AppData\Roaming\Bluetooth.exeFilesize
31KB
MD5b92b3115473d465d03d54ed3a2a7defa
SHA16e11bb60d8c01aa6032e927acdcec335b2181007
SHA256d4ffb7e8cefcf9db3e3a8771b05ee02c4f6235a8c13677217a8a49e5cf2dc8bd
SHA512be339251a191bad40a2f7a7e013b717dae439ffa0d9328da5d0fb44ce7659e390fa943b61fceb20ad6bb7e3ee349e4a35f29e548c3b23d96024fdeb4822f6aef
-
memory/2832-130-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/2832-134-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/4168-136-0x0000000000000000-mapping.dmp
-
memory/4300-131-0x0000000000000000-mapping.dmp
-
memory/4300-135-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/4300-137-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB