ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
310KB
22-09-2021 13:28
7d800ad9f415b03e6bb9a029fa57a3ec
73d737b77a8fea41dad18dc6cdde0892b0dc9796
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
Filter: none
-
njRAT/Bladabindi
Description
Widely used RAT written in .NET.
Tags
-
Executes dropped EXESystem.exe
Reported IOCs
pid process 3300 System.exe -
Modifies Windows Firewall
Tags
TTPs
-
Drops startup fileSystem.exe
Reported IOCs
description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65c7a4a4880bc336b681db036e15111.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65c7a4a4880bc336b681db036e15111.exe System.exe -
Drops file in Windows directoryab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
Reported IOCs
description ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Suspicious use of AdjustPrivilegeTokenSystem.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe Token: 33 3300 System.exe Token: SeIncBasePriorityPrivilege 3300 System.exe -
Suspicious use of WriteProcessMemoryab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exeSystem.exe
Reported IOCs
description pid process target process PID 4088 wrote to memory of 3300 4088 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe System.exe PID 4088 wrote to memory of 3300 4088 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe System.exe PID 4088 wrote to memory of 3300 4088 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe System.exe PID 3300 wrote to memory of 3664 3300 System.exe netsh.exe PID 3300 wrote to memory of 3664 3300 System.exe netsh.exe PID 3300 wrote to memory of 3664 3300 System.exe netsh.exe
-
C:\Users\Admin\AppData\Local\Temp\ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe"C:\Users\Admin\AppData\Local\Temp\ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe"Drops file in Windows directorySuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"Executes dropped EXEDrops startup fileSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE
-
C:\Users\Admin\AppData\Roaming\System.exe
MD57d800ad9f415b03e6bb9a029fa57a3ec
SHA173d737b77a8fea41dad18dc6cdde0892b0dc9796
SHA256ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
SHA5125549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a
-
C:\Users\Admin\AppData\Roaming\System.exe
MD57d800ad9f415b03e6bb9a029fa57a3ec
SHA173d737b77a8fea41dad18dc6cdde0892b0dc9796
SHA256ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
SHA5125549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a
-
memory/3300-116-0x0000000000000000-mapping.dmp
-
memory/3300-119-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
-
memory/3664-120-0x0000000000000000-mapping.dmp
-
memory/4088-115-0x0000000002D90000-0x0000000002D91000-memory.dmp