Analysis
-
max time kernel
149s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18-09-2021 18:01
Static task
static1
Behavioral task
behavioral1
Sample
01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe
Resource
win10-en
General
-
Target
01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe
-
Size
61KB
-
MD5
2f380fb35a4e38df693dbe4250388050
-
SHA1
3eef31f16de114ed279dfa0c5cf453b598bfe64a
-
SHA256
01c0c4f5a39a9ad6fb6e98d41bff8284fbd5fb8c57e3f7d0c061b99d9690c743
-
SHA512
34ad105fc09740015e9a37a4f1a4eb0833da05893e33e42d73c9043029733fd7f81a0458e5f68d02ecf5668b8543195419880f870e3c1591780381220790a189
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 1 IoCs
Processes:
Windows Defender.exepid process 1828 Windows Defender.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7d16f1a75ecffd7d4a3f0c1b6e03462.exe Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7d16f1a75ecffd7d4a3f0c1b6e03462.exe Windows Defender.exe -
Loads dropped DLL 1 IoCs
Processes:
01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exepid process 1968 01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Windows Defender.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b7d16f1a75ecffd7d4a3f0c1b6e03462 = "\"C:\\ProgramData\\Windows Defender.exe\" .." Windows Defender.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7d16f1a75ecffd7d4a3f0c1b6e03462 = "\"C:\\ProgramData\\Windows Defender.exe\" .." Windows Defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Windows Defender.exedescription pid process Token: SeDebugPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe Token: 33 1828 Windows Defender.exe Token: SeIncBasePriorityPrivilege 1828 Windows Defender.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exeWindows Defender.exedescription pid process target process PID 1968 wrote to memory of 1828 1968 01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe Windows Defender.exe PID 1968 wrote to memory of 1828 1968 01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe Windows Defender.exe PID 1968 wrote to memory of 1828 1968 01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe Windows Defender.exe PID 1968 wrote to memory of 1828 1968 01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe Windows Defender.exe PID 1828 wrote to memory of 776 1828 Windows Defender.exe netsh.exe PID 1828 wrote to memory of 776 1828 Windows Defender.exe netsh.exe PID 1828 wrote to memory of 776 1828 Windows Defender.exe netsh.exe PID 1828 wrote to memory of 776 1828 Windows Defender.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe"C:\Users\Admin\AppData\Local\Temp\01C0C4F5A39A9AD6FB6E98D41BFF8284FBD5FB8C57E3F.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows Defender.exe"C:\ProgramData\Windows Defender.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Windows Defender.exeMD5
2f380fb35a4e38df693dbe4250388050
SHA13eef31f16de114ed279dfa0c5cf453b598bfe64a
SHA25601c0c4f5a39a9ad6fb6e98d41bff8284fbd5fb8c57e3f7d0c061b99d9690c743
SHA51234ad105fc09740015e9a37a4f1a4eb0833da05893e33e42d73c9043029733fd7f81a0458e5f68d02ecf5668b8543195419880f870e3c1591780381220790a189
-
C:\ProgramData\Windows Defender.exeMD5
2f380fb35a4e38df693dbe4250388050
SHA13eef31f16de114ed279dfa0c5cf453b598bfe64a
SHA25601c0c4f5a39a9ad6fb6e98d41bff8284fbd5fb8c57e3f7d0c061b99d9690c743
SHA51234ad105fc09740015e9a37a4f1a4eb0833da05893e33e42d73c9043029733fd7f81a0458e5f68d02ecf5668b8543195419880f870e3c1591780381220790a189
-
\ProgramData\Windows Defender.exeMD5
2f380fb35a4e38df693dbe4250388050
SHA13eef31f16de114ed279dfa0c5cf453b598bfe64a
SHA25601c0c4f5a39a9ad6fb6e98d41bff8284fbd5fb8c57e3f7d0c061b99d9690c743
SHA51234ad105fc09740015e9a37a4f1a4eb0833da05893e33e42d73c9043029733fd7f81a0458e5f68d02ecf5668b8543195419880f870e3c1591780381220790a189
-
memory/776-68-0x0000000000000000-mapping.dmp
-
memory/1828-63-0x0000000000000000-mapping.dmp
-
memory/1828-67-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/1828-70-0x0000000001F21000-0x0000000001F22000-memory.dmpFilesize
4KB
-
memory/1968-60-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1968-61-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB