Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 16:08
Behavioral task
behavioral1
Sample
Blitzedv12.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Blitzedv12.exe
Resource
win10v2004-20220812-en
General
-
Target
Blitzedv12.exe
-
Size
1.7MB
-
MD5
38451c0bdaece2d4829f356c8b0487c6
-
SHA1
f379d04e5748cd12e2ef2c2dc255e36089693c84
-
SHA256
7bddc54d8f7c4721bf637f97103ab8c6235a4173f45252cc792f483f8cf0a34d
-
SHA512
ce620a8bea4792bad269f24cb737c9cdb4c9fc0ce70543957a04b7ba13ed8de2c0c18fa12552903c3222f91bba90e3f9b02bb8b29cee3634d5ffdc6372ca21a7
-
SSDEEP
24576:LxAskWeOT4n5lLHxnpL2Q/NLmKgDJ68p4C8BsePDigEoXh7O83igweBAWgtE:NAznU4n9t2ELj18p4BDifoM83ig9ApS
Malware Config
Extracted
njrat
v4.0
MyBot
winter-rd.at.ply.gg:5637
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 1 IoCs
Processes:
1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 1.exe -
Executes dropped EXE 2 IoCs
Processes:
1.exe2.exepid process 1104 1.exe 1080 2.exe -
Loads dropped DLL 1 IoCs
Processes:
2.exepid process 1080 2.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1080-66-0x0000000005170000-0x0000000005362000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
1.exedescription pid process Token: SeDebugPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe Token: 33 1104 1.exe Token: SeIncBasePriorityPrivilege 1104 1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2.exepid process 1080 2.exe 1080 2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Blitzedv12.exe1.exedescription pid process target process PID 1460 wrote to memory of 1104 1460 Blitzedv12.exe 1.exe PID 1460 wrote to memory of 1104 1460 Blitzedv12.exe 1.exe PID 1460 wrote to memory of 1104 1460 Blitzedv12.exe 1.exe PID 1460 wrote to memory of 1104 1460 Blitzedv12.exe 1.exe PID 1460 wrote to memory of 1080 1460 Blitzedv12.exe 2.exe PID 1460 wrote to memory of 1080 1460 Blitzedv12.exe 2.exe PID 1460 wrote to memory of 1080 1460 Blitzedv12.exe 2.exe PID 1460 wrote to memory of 1080 1460 Blitzedv12.exe 2.exe PID 1104 wrote to memory of 1704 1104 1.exe attrib.exe PID 1104 wrote to memory of 1704 1104 1.exe attrib.exe PID 1104 wrote to memory of 1704 1104 1.exe attrib.exe PID 1104 wrote to memory of 1704 1104 1.exe attrib.exe PID 1104 wrote to memory of 1572 1104 1.exe attrib.exe PID 1104 wrote to memory of 1572 1104 1.exe attrib.exe PID 1104 wrote to memory of 1572 1104 1.exe attrib.exe PID 1104 wrote to memory of 1572 1104 1.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1704 attrib.exe 1572 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Blitzedv12.exe"C:\Users\Admin\AppData\Local\Temp\Blitzedv12.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
27KB
MD5a01b8321216c87dcaf324746fa8a61cf
SHA126364290161779816862d83634a415acc2685546
SHA25619652811abd661de04e5ca7e228af54809f3e9b73204baad477ea0ecef2b557e
SHA5127e1657d5b6ca5d4f5fd036de6ec411d118ea58360889f846c2a69ccb7eb68bbecf5ca5ffcb785b0a6a5e8796280e57289e610d754f2e60c0284e69935b124f39
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
27KB
MD5a01b8321216c87dcaf324746fa8a61cf
SHA126364290161779816862d83634a415acc2685546
SHA25619652811abd661de04e5ca7e228af54809f3e9b73204baad477ea0ecef2b557e
SHA5127e1657d5b6ca5d4f5fd036de6ec411d118ea58360889f846c2a69ccb7eb68bbecf5ca5ffcb785b0a6a5e8796280e57289e610d754f2e60c0284e69935b124f39
-
C:\Users\Admin\AppData\Local\Temp\2.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
C:\Users\Admin\AppData\Local\Temp\2.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dllFilesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
memory/1080-70-0x0000000004AE7000-0x0000000004AF8000-memory.dmpFilesize
68KB
-
memory/1080-63-0x0000000000EB0000-0x000000000105C000-memory.dmpFilesize
1.7MB
-
memory/1080-66-0x0000000005170000-0x0000000005362000-memory.dmpFilesize
1.9MB
-
memory/1080-69-0x00000000735D0000-0x0000000073607000-memory.dmpFilesize
220KB
-
memory/1080-59-0x0000000000000000-mapping.dmp
-
memory/1080-73-0x00000000735D0000-0x0000000073607000-memory.dmpFilesize
220KB
-
memory/1104-56-0x0000000000000000-mapping.dmp
-
memory/1104-62-0x0000000000950000-0x000000000095E000-memory.dmpFilesize
56KB
-
memory/1104-64-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1460-55-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/1460-54-0x000007FEF3420000-0x000007FEF3E43000-memory.dmpFilesize
10.1MB
-
memory/1572-72-0x0000000000000000-mapping.dmp
-
memory/1704-71-0x0000000000000000-mapping.dmp