Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 13:07
General
-
Target
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe
-
Size
23KB
-
MD5
b666c4da44542080af4e8d10035e3cae
-
SHA1
4c1df8d41638200ab51d3c22c6d1854b0544a2e2
-
SHA256
c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
-
SHA512
d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
SSDEEP
384:4sqCm6yocx/Yp7jemiO0nd08/VQ6bgNQC5h7tmRvR6JZlbw8hqIusZzZNX:PSoQA6mlcrRpcnuG
Malware Config
Extracted
njrat
0.7d
SAMEEDLCP
themarlborough.co.vu:5150
fb299416afb86ef6ecdbdf6738f8fa6c
-
reg_key
fb299416afb86ef6ecdbdf6738f8fa6c
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe"C:\Users\Admin\AppData\Local\Temp\c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Winsvc.exe"C:\Users\Admin\AppData\Roaming\Winsvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Winsvc.exe" "Winsvc.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Winsvc.exeFilesize
23KB
MD5b666c4da44542080af4e8d10035e3cae
SHA14c1df8d41638200ab51d3c22c6d1854b0544a2e2
SHA256c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
SHA512d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
C:\Users\Admin\AppData\Roaming\Winsvc.exeFilesize
23KB
MD5b666c4da44542080af4e8d10035e3cae
SHA14c1df8d41638200ab51d3c22c6d1854b0544a2e2
SHA256c9a6906da93dbfbbf03dbef5eb0f92c08b3d32468bdb34eb7dd14fa4021765e8
SHA512d8a835e5df93056ce193b4aa64bab04bb0c2a008d9385144500e6057d7d97de226283225e3f90386aeb8742db637a8bebb1031adf5fa09046f76d87e8dac235b
-
memory/1292-133-0x0000000000000000-mapping.dmp
-
memory/1292-137-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/1292-139-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/2412-138-0x0000000000000000-mapping.dmp
-
memory/4824-132-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/4824-136-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB