d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e

General
Target

d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe

Filesize

1MB

Completed

22-09-2021 13:22

Score
10 /10
MD5

87665d443c7a883a9605213fa5028662

SHA1

04f910763ed46eb2b40be54f42ad7b7e4b149dd6

SHA256

d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Executes dropped EXE
    avg.dll.EXE

    Reported IOCs

    pidprocess
    4308avg.dll.EXE
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Drops startup file
    avg.dll.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b3667cff0c75e61709ad52657912c8e.exeavg.dll.EXE
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b3667cff0c75e61709ad52657912c8e.exeavg.dll.EXE
  • Adds Run key to start application
    avg.dll.EXE

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b3667cff0c75e61709ad52657912c8e = "\"C:\\Users\\Admin\\AppData\\Roaming\\avg.dll.EXE\" .."avg.dll.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7b3667cff0c75e61709ad52657912c8e = "\"C:\\Users\\Admin\\AppData\\Roaming\\avg.dll.EXE\" .."avg.dll.EXE
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXE

    Reported IOCs

    pidprocess
    3620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
    3620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
    3620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
    4308avg.dll.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    avg.dll.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
    Token: 334308avg.dll.EXE
    Token: SeIncBasePriorityPrivilege4308avg.dll.EXE
  • Suspicious use of SetWindowsHookEx
    d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXE

    Reported IOCs

    pidprocess
    3620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
    4308avg.dll.EXE
  • Suspicious use of WriteProcessMemory
    d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3620 wrote to memory of 43083620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXE
    PID 3620 wrote to memory of 43083620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXE
    PID 3620 wrote to memory of 43083620d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exeavg.dll.EXE
    PID 4308 wrote to memory of 42924308avg.dll.EXEnetsh.exe
    PID 4308 wrote to memory of 42924308avg.dll.EXEnetsh.exe
    PID 4308 wrote to memory of 42924308avg.dll.EXEnetsh.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe
    "C:\Users\Admin\AppData\Local\Temp\d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e.exe"
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Roaming\avg.dll.EXE
      "C:\Users\Admin\AppData\Roaming\avg.dll.EXE"
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\avg.dll.EXE" "avg.dll.EXE" ENABLE
        PID:4292
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\avg.dll.EXE

                      MD5

                      87665d443c7a883a9605213fa5028662

                      SHA1

                      04f910763ed46eb2b40be54f42ad7b7e4b149dd6

                      SHA256

                      d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e

                      SHA512

                      b46e0937229313334646aca69b041f1134b048c29518b85381fae86172e7c1f88134bd4576606d5b56c0ba4ee2b7ebd0d5bc979e81597422a57f22bf99d79f00

                    • C:\Users\Admin\AppData\Roaming\avg.dll.EXE

                      MD5

                      87665d443c7a883a9605213fa5028662

                      SHA1

                      04f910763ed46eb2b40be54f42ad7b7e4b149dd6

                      SHA256

                      d52a459560622be3d8ab5d46ccface98acb49641386b971d427784d9f14e413e

                      SHA512

                      b46e0937229313334646aca69b041f1134b048c29518b85381fae86172e7c1f88134bd4576606d5b56c0ba4ee2b7ebd0d5bc979e81597422a57f22bf99d79f00

                    • memory/3620-115-0x0000000003460000-0x0000000003461000-memory.dmp

                    • memory/4292-120-0x0000000000000000-mapping.dmp

                    • memory/4308-116-0x0000000000000000-mapping.dmp

                    • memory/4308-119-0x0000000003230000-0x0000000003231000-memory.dmp