Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    05-11-2021 12:40

General

  • Target

    26C934B5450A2E29B15806DA4C71D01BA6AE2C98D4F18.exe

  • Size

    229KB

  • MD5

    00a96cad09cacccc65e205f4784df743

  • SHA1

    9502ca9bde31d8de80e0ef7f087ad10bbcaacb0f

  • SHA256

    26c934b5450a2e29b15806da4c71d01ba6ae2c98d4f18538909807f6d78b2fb6

  • SHA512

    08ba1be57531546d41083f77da20fd71d72797e7dd83c066305c931745cc2c1bffa2e2d342b8878a3bca1838e290ce4f54515a6c540871df78a6bde16564089d

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26C934B5450A2E29B15806DA4C71D01BA6AE2C98D4F18.exe
    "C:\Users\Admin\AppData\Local\Temp\26C934B5450A2E29B15806DA4C71D01BA6AE2C98D4F18.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\system32\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
          4⤵
            PID:1492
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://pointvip.net/forum/index.php?threads/menu-n%C3%A3o-aparece-veja-este-tutorial.15/
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:556

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe
      MD5

      087bc808101d91ccff873cf7f64d6105

      SHA1

      82fdb175117ea1861b8927de4884286a636c3446

      SHA256

      5075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768

      SHA512

      9841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe
      MD5

      087bc808101d91ccff873cf7f64d6105

      SHA1

      82fdb175117ea1861b8927de4884286a636c3446

      SHA256

      5075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768

      SHA512

      9841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE
      MD5

      47e96ccf6691d77758d5f2f1bcd330a8

      SHA1

      06054bbfafebfced7940e31e39c2fb6da459a141

      SHA256

      0c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85

      SHA512

      104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE
      MD5

      47e96ccf6691d77758d5f2f1bcd330a8

      SHA1

      06054bbfafebfced7940e31e39c2fb6da459a141

      SHA256

      0c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85

      SHA512

      104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3ZTAKCFO.txt
      MD5

      cb8f145b4e2540d24b40f453f2c9d63b

      SHA1

      1da15dcbc85b03bdcc826375a0d1c07f603ec21e

      SHA256

      6216a95174bc10d564bc3b25bd776cd3c5ac14c637cffdc7d377f8f7906ebc36

      SHA512

      2eb4b6202099b08b97dff336914580739587ceecf273729c7b328ab33ebdd54e87ee70d247f9e1462ead3c02372b302386c4d3545b85d8e29fd95f4d9fdd2303

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      MD5

      087bc808101d91ccff873cf7f64d6105

      SHA1

      82fdb175117ea1861b8927de4884286a636c3446

      SHA256

      5075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768

      SHA512

      9841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      MD5

      087bc808101d91ccff873cf7f64d6105

      SHA1

      82fdb175117ea1861b8927de4884286a636c3446

      SHA256

      5075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768

      SHA512

      9841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe
      MD5

      087bc808101d91ccff873cf7f64d6105

      SHA1

      82fdb175117ea1861b8927de4884286a636c3446

      SHA256

      5075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768

      SHA512

      9841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe
      MD5

      087bc808101d91ccff873cf7f64d6105

      SHA1

      82fdb175117ea1861b8927de4884286a636c3446

      SHA256

      5075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768

      SHA512

      9841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE
      MD5

      47e96ccf6691d77758d5f2f1bcd330a8

      SHA1

      06054bbfafebfced7940e31e39c2fb6da459a141

      SHA256

      0c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85

      SHA512

      104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE
      MD5

      47e96ccf6691d77758d5f2f1bcd330a8

      SHA1

      06054bbfafebfced7940e31e39c2fb6da459a141

      SHA256

      0c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85

      SHA512

      104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef

    • memory/556-87-0x0000000000000000-mapping.dmp
    • memory/1040-63-0x000007FEEEBD0000-0x000007FEEFC66000-memory.dmp
      Filesize

      16.6MB

    • memory/1040-58-0x0000000000000000-mapping.dmp
    • memory/1040-61-0x0000000000BE0000-0x0000000000BE2000-memory.dmp
      Filesize

      8KB

    • memory/1040-62-0x000007FEF2EB0000-0x000007FEF3D3F000-memory.dmp
      Filesize

      14.6MB

    • memory/1492-80-0x0000000000000000-mapping.dmp
    • memory/1492-81-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp
      Filesize

      8KB

    • memory/1524-55-0x00000000764D1000-0x00000000764D3000-memory.dmp
      Filesize

      8KB

    • memory/1664-78-0x00000000003D0000-0x000000000043B000-memory.dmp
      Filesize

      428KB

    • memory/1664-76-0x0000000000B60000-0x0000000000B61000-memory.dmp
      Filesize

      4KB

    • memory/1664-68-0x0000000000000000-mapping.dmp
    • memory/1664-79-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
      Filesize

      4KB

    • memory/1664-84-0x0000000004CE2000-0x0000000004CE3000-memory.dmp
      Filesize

      4KB

    • memory/1664-83-0x0000000004CE1000-0x0000000004CE2000-memory.dmp
      Filesize

      4KB

    • memory/1664-85-0x0000000004CE7000-0x0000000004CF8000-memory.dmp
      Filesize

      68KB

    • memory/1724-86-0x0000000000000000-mapping.dmp
    • memory/1924-73-0x000007FEEDB30000-0x000007FEEEBC6000-memory.dmp
      Filesize

      16.6MB

    • memory/1924-64-0x0000000000000000-mapping.dmp
    • memory/1924-82-0x00000000022F6000-0x0000000002315000-memory.dmp
      Filesize

      124KB

    • memory/1924-70-0x00000000022F0000-0x00000000022F2000-memory.dmp
      Filesize

      8KB

    • memory/1924-69-0x000007FEF2510000-0x000007FEF339F000-memory.dmp
      Filesize

      14.6MB