Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 01:49
General
-
Target
4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b.exe
-
Size
1.1MB
-
MD5
6d614c1cc6113efb12d0d7eb0147db64
-
SHA1
6e2ec4f4e73a358849c9b147428dbdb609d043f1
-
SHA256
4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b
-
SHA512
78158ab786852d597a084a5f55401ae087468ae02ae077d56593c68eb4f0464b2573ba1347c9c0cd7a58409194232d2eb12a446b72e53ff569251668d25de007
-
SSDEEP
24576:Itb20pkaCqT5TBWgNQ7aGSbRNn0eeiN/P+U7F16A:RVg5tQ7aGocen+U35
Malware Config
Extracted
njrat
0.7d
u0lf4ÓßgÒiNBMìNñõÛÃáÍÚÒæÉâgþ
193.0.200.131:35689
abde6d91c02e072e675204de91168fab
-
reg_key
abde6d91c02e072e675204de91168fab
-
splitter
|'|'|
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocks application from running via registry modification 64 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 13 IoCs
-
Executes dropped EXE 5 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 16 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b.exe"C:\Users\Admin\AppData\Local\Temp\4c91884307199fbadb8aa41ce6d6bdef10e0d185737f75c79dbe28e62267c37b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exeC:\Users\Admin\AppData\Local\Temp/WINDOWS/TEMPARCHIVE/RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exe2⤵
- Modifies WinLogon for persistence
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IyQoe.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE /E /P everyone:n4⤵
-
C:\Windows\system32\cacls.execacls C:\Users\Admin\AppData\Local\Temp\WINDOWS /E /P everyone:n4⤵
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Windows\System32\drivers\etc\*.*"4⤵
- Drops file in Drivers directory
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cacls.execacls C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime /E /P everyone:n4⤵
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Windows\System32\drivers\etc"4⤵
- Drops file in Drivers directory
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\*.*"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\*.*"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\*.*"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exeC:\Users\Admin\AppData\Local\Temp/WINDOWS/TEMPARCHIVE/taskeng.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe"C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe"C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exeC:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe" "wksprt.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\v.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Windows\System32\drivers\etc\*.*"4⤵
- Drops file in Drivers directory
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\*.*"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Windows\System32\drivers\etc"4⤵
- Drops file in Drivers directory
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\*.*"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\*.*"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime"4⤵
- Sets file to hidden
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IyQoe.batFilesize
522B
MD5254160d9b9287bff589b6246f99d8eec
SHA1876310cdd302898f5c8f4041037f18bacf07bcbe
SHA25616e99344bda2b1338204f4e89c3c6b6a8efbb168a76ed624cba9f4d1ad3fd9a4
SHA512002d0415387e60b9ef11a6e95787f03ec34c571676d7e5cafd54b6352855ca24e9099d1faa970a5cabdaa1f26620676cbb56e028cfdc54045119e0535a70444a
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exeFilesize
113KB
MD5bbca72e3a3096b322289adf9226411f7
SHA15a9395d35f73c261082486836bdfb4af6e4a7c06
SHA256c09b77187f6c4dd2be355c3d96b89a6d2fc49646b3b067ef5748e2eadbf7206b
SHA512f32b734432a40d7f4a24e47e6e7a21fc09b4dbb4a784ac8f015c7edea77f4b728c00fb62b102682001c7ced4f55c6fe943208f88c0471217ee82ea82ef1603a5
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exeFilesize
113KB
MD5bbca72e3a3096b322289adf9226411f7
SHA15a9395d35f73c261082486836bdfb4af6e4a7c06
SHA256c09b77187f6c4dd2be355c3d96b89a6d2fc49646b3b067ef5748e2eadbf7206b
SHA512f32b734432a40d7f4a24e47e6e7a21fc09b4dbb4a784ac8f015c7edea77f4b728c00fb62b102682001c7ced4f55c6fe943208f88c0471217ee82ea82ef1603a5
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exeFilesize
29KB
MD552944262c2ba7f1b50a054c0c1f9a88d
SHA1c6f9d258438f247c0d14ad9f60e0b01347bcbfcc
SHA2564fc8a9aff00714d712171dd65a9c42382c6a02cd3f55e98a7e469b0a46d657c9
SHA512880a98312a8f80c37b10baf61a97e04226ed1f007093f61b18daab61a9ed42f0a3f1af3ed1bb4159b5dfc1fad849c7500056642ec2e45af4fc486e46f079a972
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exeFilesize
29KB
MD552944262c2ba7f1b50a054c0c1f9a88d
SHA1c6f9d258438f247c0d14ad9f60e0b01347bcbfcc
SHA2564fc8a9aff00714d712171dd65a9c42382c6a02cd3f55e98a7e469b0a46d657c9
SHA512880a98312a8f80c37b10baf61a97e04226ed1f007093f61b18daab61a9ed42f0a3f1af3ed1bb4159b5dfc1fad849c7500056642ec2e45af4fc486e46f079a972
-
C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\ucsvc.exeFilesize
70KB
MD56b4f12869c822faff28fe9377531655b
SHA1784fb31f33a92695e4dc6eefeaccc13086ae277f
SHA25606688797d34750928fc847a12db9d2c747d97ea514b1f7d077d6620b160ac958
SHA5125a65c6e30903790ed4c557ffa3ccae0c1a177b0a3b7cacade93faf84c8e7f20f410b5a710ebfd58e0e23e57addf9dc96391254db660f74618f7057204baafae3
-
C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exeFilesize
220KB
MD51dae65aa91f64af004bfc75bafa18976
SHA1f5b448b07029640a6bc600b154782eef13865d01
SHA25633b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c
SHA512eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56
-
C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exeFilesize
220KB
MD51dae65aa91f64af004bfc75bafa18976
SHA1f5b448b07029640a6bc600b154782eef13865d01
SHA25633b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c
SHA512eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56
-
C:\Users\Admin\AppData\Local\Temp\v.batFilesize
384B
MD52ec56e11d99afad1e6fba39be82df172
SHA18ace61da9bf03dfa3f05e4a2eee2311ade93040f
SHA256fe08f1f73ef0636a84ff7b757a04f2f99c417b4c0d63d9da8952c4154830b929
SHA5125fb85766c7ae10f5839fcdb02518caabb9cc44012ea8cc108c0c4ee78f0a04549cf4a2e0d33ce03a00748baa79f25f63e288513d869d967658fa222fbd11cc21
-
C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exeFilesize
70KB
MD56b4f12869c822faff28fe9377531655b
SHA1784fb31f33a92695e4dc6eefeaccc13086ae277f
SHA25606688797d34750928fc847a12db9d2c747d97ea514b1f7d077d6620b160ac958
SHA5125a65c6e30903790ed4c557ffa3ccae0c1a177b0a3b7cacade93faf84c8e7f20f410b5a710ebfd58e0e23e57addf9dc96391254db660f74618f7057204baafae3
-
C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exeFilesize
220KB
MD51dae65aa91f64af004bfc75bafa18976
SHA1f5b448b07029640a6bc600b154782eef13865d01
SHA25633b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c
SHA512eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56
-
C:\Windows\System32\drivers\etc\hostsFilesize
1KB
MD501ae587c73cd331fd2da4caeca584612
SHA1ee2f06eba879af91442b137c36861c131f9fbc26
SHA256464da2c16792622be63fb6e5795853c24d84473080d7090948147dc1c1c27e68
SHA512650e69fa28985a4fd79a530f4fd5f08ae0590160e9db25872f0d3ea50a612674c076090e9d1f8ec7335a2473fa51088577436a2ec8e702e9402f16d467fbb1e5
-
\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\RZ29oRt44C0mES2NOh4LHX7rjK2hRIIkVPjz.exeFilesize
113KB
MD5bbca72e3a3096b322289adf9226411f7
SHA15a9395d35f73c261082486836bdfb4af6e4a7c06
SHA256c09b77187f6c4dd2be355c3d96b89a6d2fc49646b3b067ef5748e2eadbf7206b
SHA512f32b734432a40d7f4a24e47e6e7a21fc09b4dbb4a784ac8f015c7edea77f4b728c00fb62b102682001c7ced4f55c6fe943208f88c0471217ee82ea82ef1603a5
-
\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exeFilesize
29KB
MD552944262c2ba7f1b50a054c0c1f9a88d
SHA1c6f9d258438f247c0d14ad9f60e0b01347bcbfcc
SHA2564fc8a9aff00714d712171dd65a9c42382c6a02cd3f55e98a7e469b0a46d657c9
SHA512880a98312a8f80c37b10baf61a97e04226ed1f007093f61b18daab61a9ed42f0a3f1af3ed1bb4159b5dfc1fad849c7500056642ec2e45af4fc486e46f079a972
-
\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exeFilesize
220KB
MD51dae65aa91f64af004bfc75bafa18976
SHA1f5b448b07029640a6bc600b154782eef13865d01
SHA25633b9d81dc68b86efed8095dc63e2a299c3a1b31136e654f66e668af93556f96c
SHA512eb78060f610db6849e75981bbe20345b45c8f8dc24011e9e42b2583934bd379286ae996c9eb8586e5dd4302de59cee5632e7dd97488c6318702ea61774e04b56
-
memory/108-87-0x0000000000000000-mapping.dmp
-
memory/316-88-0x0000000000000000-mapping.dmp
-
memory/320-82-0x0000000000000000-mapping.dmp
-
memory/552-84-0x0000000000000000-mapping.dmp
-
memory/588-94-0x0000000000000000-mapping.dmp
-
memory/684-93-0x0000000000000000-mapping.dmp
-
memory/768-75-0x0000000000000000-mapping.dmp
-
memory/928-73-0x000007FEF3000000-0x000007FEF4096000-memory.dmpFilesize
16.6MB
-
memory/928-98-0x0000000000B26000-0x0000000000B45000-memory.dmpFilesize
124KB
-
memory/928-120-0x0000000000B26000-0x0000000000B45000-memory.dmpFilesize
124KB
-
memory/928-67-0x0000000000000000-mapping.dmp
-
memory/928-71-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmpFilesize
10.1MB
-
memory/972-92-0x0000000000000000-mapping.dmp
-
memory/1052-95-0x0000000000000000-mapping.dmp
-
memory/1064-96-0x0000000000000000-mapping.dmp
-
memory/1092-80-0x0000000000000000-mapping.dmp
-
memory/1152-70-0x0000000000000000-mapping.dmp
-
memory/1256-86-0x0000000000000000-mapping.dmp
-
memory/1284-77-0x0000000002176000-0x0000000002195000-memory.dmpFilesize
124KB
-
memory/1284-64-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmpFilesize
10.1MB
-
memory/1284-66-0x000007FEF3000000-0x000007FEF4096000-memory.dmpFilesize
16.6MB
-
memory/1284-56-0x0000000000000000-mapping.dmp
-
memory/1364-85-0x0000000000000000-mapping.dmp
-
memory/1372-89-0x0000000000000000-mapping.dmp
-
memory/1392-81-0x0000000000000000-mapping.dmp
-
memory/1576-90-0x0000000000000000-mapping.dmp
-
memory/1712-72-0x0000000000000000-mapping.dmp
-
memory/1724-76-0x0000000000256000-0x0000000000275000-memory.dmpFilesize
124KB
-
memory/1724-63-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmpFilesize
10.1MB
-
memory/1724-65-0x000007FEF3000000-0x000007FEF4096000-memory.dmpFilesize
16.6MB
-
memory/1724-60-0x0000000000000000-mapping.dmp
-
memory/1728-119-0x0000000000000000-mapping.dmp
-
memory/1748-97-0x0000000000000000-mapping.dmp
-
memory/1804-99-0x0000000000000000-mapping.dmp
-
memory/1804-117-0x0000000074BF0000-0x000000007519B000-memory.dmpFilesize
5.7MB
-
memory/1936-91-0x0000000000000000-mapping.dmp
-
memory/1944-83-0x0000000000000000-mapping.dmp
-
memory/1952-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1952-109-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-105-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-110-0x00000000004074DE-mapping.dmp
-
memory/1952-113-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-115-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-108-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-118-0x0000000074BF0000-0x000000007519B000-memory.dmpFilesize
5.7MB
-
memory/1952-107-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-104-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1952-122-0x0000000074BF0000-0x000000007519B000-memory.dmpFilesize
5.7MB