Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-09-2021 14:11
Static task
static1
General
-
Target
Client.exe
-
Size
157KB
-
MD5
56bc3f630c9f0b284185cf952c2dc736
-
SHA1
eb6c702c2a2c48221a0eed0baacfe931c34e1757
-
SHA256
896063f7d965ebf60d36b28c47135e010e212bc9955e7dfdfba4f085744ba47a
-
SHA512
b37dc8750f01a3e55e392d7d5591147b010c6b0971874aad074ee0144da4fcda5ff58590a432c9777fd9fb5f78a2ca279fcbf5806598603e9ab0e0a5db601caf
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral1/memory/640-117-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/640-120-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Client.exedescription pid process target process PID 3492 set thread context of 640 3492 Client.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Client.exevbc.exedescription pid process Token: SeDebugPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: SeDebugPrivilege 640 vbc.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe Token: 33 3492 Client.exe Token: SeIncBasePriorityPrivilege 3492 Client.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Client.exedescription pid process target process PID 3492 wrote to memory of 3924 3492 Client.exe netsh.exe PID 3492 wrote to memory of 3924 3492 Client.exe netsh.exe PID 3492 wrote to memory of 3924 3492 Client.exe netsh.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe PID 3492 wrote to memory of 640 3492 Client.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\1232597"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1232597MD5
b0cc2e6f2d8036c9b5fef218736fa9c9
SHA164fd3017625979c95ba09d7cbea201010a82f73f
SHA256997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b
-
memory/640-117-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/640-118-0x00000000004700E0-mapping.dmp
-
memory/640-120-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/3492-114-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/3492-116-0x0000000002361000-0x0000000002362000-memory.dmpFilesize
4KB
-
memory/3492-121-0x0000000002364000-0x0000000002366000-memory.dmpFilesize
8KB
-
memory/3924-115-0x0000000000000000-mapping.dmp