Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-09-2021 16:16
Behavioral task
behavioral1
Sample
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
Resource
win10v20210408
General
-
Target
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
-
Size
37KB
-
MD5
4211578cdfacbd2ba17aeca89f127f60
-
SHA1
d09bb5b348703089849fb0650c24501de5b5d388
-
SHA256
c39e53a8a1d7e702ce379ee016e79448798adcc9ecf57854e0dffdf8e12aebd0
-
SHA512
f248df22736ba09d85921c4be09f367dd8960b2144a875799b0ebcbf695c33d0b68eb1df3ea8ec975fd7897a6c3c200e600c3b5fe68fe9ab0bfdae3448880d7a
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\789f05f583cf1829fbeacd099e6f1a6c.exe C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\789f05f583cf1829fbeacd099e6f1a6c.exe C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\789f05f583cf1829fbeacd099e6f1a6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe\" .." C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\789f05f583cf1829fbeacd099e6f1a6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe\" .." C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exepid process 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exepid process 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription pid process Token: SeDebugPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription pid process target process PID 992 wrote to memory of 904 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe netsh.exe PID 992 wrote to memory of 904 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe netsh.exe PID 992 wrote to memory of 904 992 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe"C:\Users\Admin\AppData\Local\Temp\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe" "C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe" ENABLE2⤵