d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd

General
Target

d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe

Filesize

3MB

Completed

22-09-2021 13:14

Score
10 /10
MD5

4b4dc6e050a52577e40b23eb0f2f1643

SHA1

adc7f113b6fb190df89c41147a01206ab85411c5

SHA256

d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    chrome .exe

    Reported IOCs

    pidprocess
    1376chrome .exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    chrome .exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82b3a5c8055c6c9df621b9015591f5e6.exechrome .exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82b3a5c8055c6c9df621b9015591f5e6.exechrome .exe
  • Loads dropped DLL
    d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe

    Reported IOCs

    pidprocess
    1768d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe
  • Adds Run key to start application
    chrome .exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\82b3a5c8055c6c9df621b9015591f5e6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome .exe\" .."chrome .exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\82b3a5c8055c6c9df621b9015591f5e6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome .exe\" .."chrome .exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    chrome .exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
    Token: 331376chrome .exe
    Token: SeIncBasePriorityPrivilege1376chrome .exe
  • Suspicious use of WriteProcessMemory
    d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exechrome .exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1768 wrote to memory of 13761768d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exechrome .exe
    PID 1768 wrote to memory of 13761768d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exechrome .exe
    PID 1768 wrote to memory of 13761768d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exechrome .exe
    PID 1768 wrote to memory of 13761768d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exechrome .exe
    PID 1376 wrote to memory of 16481376chrome .exenetsh.exe
    PID 1376 wrote to memory of 16481376chrome .exenetsh.exe
    PID 1376 wrote to memory of 16481376chrome .exenetsh.exe
    PID 1376 wrote to memory of 16481376chrome .exenetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe
    "C:\Users\Admin\AppData\Local\Temp\d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Roaming\chrome .exe
      "C:\Users\Admin\AppData\Roaming\chrome .exe"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\chrome .exe" "chrome .exe" ENABLE
        PID:1648
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\chrome .exe

                      MD5

                      4b4dc6e050a52577e40b23eb0f2f1643

                      SHA1

                      adc7f113b6fb190df89c41147a01206ab85411c5

                      SHA256

                      d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd

                      SHA512

                      3e9e205d10ea3fab1d436cccc157627103e41ff857da7ff733e3cf95cdae9f2e149f8d3b9817c4035edf9bc5de4d62ec6744d7d2c67321f28ef18d5b6ec77ca0

                    • C:\Users\Admin\AppData\Roaming\chrome .exe

                      MD5

                      4b4dc6e050a52577e40b23eb0f2f1643

                      SHA1

                      adc7f113b6fb190df89c41147a01206ab85411c5

                      SHA256

                      d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd

                      SHA512

                      3e9e205d10ea3fab1d436cccc157627103e41ff857da7ff733e3cf95cdae9f2e149f8d3b9817c4035edf9bc5de4d62ec6744d7d2c67321f28ef18d5b6ec77ca0

                    • \Users\Admin\AppData\Roaming\chrome .exe

                      MD5

                      4b4dc6e050a52577e40b23eb0f2f1643

                      SHA1

                      adc7f113b6fb190df89c41147a01206ab85411c5

                      SHA256

                      d53390e08acb0126eceb6eba27a1d9a0ce74b0441961f1f6ac1191ab61ff94fd

                      SHA512

                      3e9e205d10ea3fab1d436cccc157627103e41ff857da7ff733e3cf95cdae9f2e149f8d3b9817c4035edf9bc5de4d62ec6744d7d2c67321f28ef18d5b6ec77ca0

                    • memory/1376-61-0x00000000001A0000-0x00000000001A1000-memory.dmp

                    • memory/1376-57-0x0000000000000000-mapping.dmp

                    • memory/1376-64-0x00000000001A1000-0x00000000001A2000-memory.dmp

                    • memory/1648-62-0x0000000000000000-mapping.dmp

                    • memory/1768-54-0x0000000075821000-0x0000000075823000-memory.dmp

                    • memory/1768-55-0x0000000000530000-0x0000000000531000-memory.dmp