Overview

overview

10

Static

static

49545f0af7...64.exe

windows7_x64

10

49545f0af7...64.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-05-2021 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49545f0af79ded22054bfd851bb3d864.exe

  • Size

    87KB

  • MD5

    49545f0af79ded22054bfd851bb3d864

  • SHA1

    35db307d4e2d287e005262a5d5edd56b73bfc415

  • SHA256

    004cae62d64d4fd40532660626ef95b5c5a899de64e060f9e6223974219ef080

  • SHA512

    96a3366ba95c669d81803ab8157364df0e7dc2ef6f6e0f80775e0a8d21c79ab12c162de4a444ce13cba4d76bce6dd05b1356f2ad13a613e015a9e60b01f6956a

Score
10/10
njratevasionpersistencetrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49545f0af79ded22054bfd851bb3d864.exe
    "C:\Users\Admin\AppData\Local\Temp\49545f0af79ded22054bfd851bb3d864.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\ProgramData\explorer.exe
      "C:\ProgramData\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\explorer.exe" "explorer.exe" ENABLE
        3⤵
          PID:3548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3180-118-0x0000000003150000-0x0000000003151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-114-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

      Filesize

      4KB

      Download