Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
05-11-2021 12:40
General
-
Target
26C934B5450A2E29B15806DA4C71D01BA6AE2C98D4F18.exe
-
Size
229KB
-
MD5
00a96cad09cacccc65e205f4784df743
-
SHA1
9502ca9bde31d8de80e0ef7f087ad10bbcaacb0f
-
SHA256
26c934b5450a2e29b15806da4c71d01ba6ae2c98d4f18538909807f6d78b2fb6
-
SHA512
08ba1be57531546d41083f77da20fd71d72797e7dd83c066305c931745cc2c1bffa2e2d342b8878a3bca1838e290ce4f54515a6c540871df78a6bde16564089d
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 3 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\26C934B5450A2E29B15806DA4C71D01BA6AE2C98D4F18.exe"C:\Users\Admin\AppData\Local\Temp\26C934B5450A2E29B15806DA4C71D01BA6AE2C98D4F18.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://pointvip.net/forum/index.php?threads/menu-n%C3%A3o-aparece-veja-este-tutorial.15/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exeMD5
087bc808101d91ccff873cf7f64d6105
SHA182fdb175117ea1861b8927de4884286a636c3446
SHA2565075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768
SHA5129841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exeMD5
087bc808101d91ccff873cf7f64d6105
SHA182fdb175117ea1861b8927de4884286a636c3446
SHA2565075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768
SHA5129841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXEMD5
47e96ccf6691d77758d5f2f1bcd330a8
SHA106054bbfafebfced7940e31e39c2fb6da459a141
SHA2560c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85
SHA512104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXEMD5
47e96ccf6691d77758d5f2f1bcd330a8
SHA106054bbfafebfced7940e31e39c2fb6da459a141
SHA2560c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85
SHA512104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3ZTAKCFO.txtMD5
cb8f145b4e2540d24b40f453f2c9d63b
SHA11da15dcbc85b03bdcc826375a0d1c07f603ec21e
SHA2566216a95174bc10d564bc3b25bd776cd3c5ac14c637cffdc7d377f8f7906ebc36
SHA5122eb4b6202099b08b97dff336914580739587ceecf273729c7b328ab33ebdd54e87ee70d247f9e1462ead3c02372b302386c4d3545b85d8e29fd95f4d9fdd2303
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
087bc808101d91ccff873cf7f64d6105
SHA182fdb175117ea1861b8927de4884286a636c3446
SHA2565075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768
SHA5129841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
087bc808101d91ccff873cf7f64d6105
SHA182fdb175117ea1861b8927de4884286a636c3446
SHA2565075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768
SHA5129841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exeMD5
087bc808101d91ccff873cf7f64d6105
SHA182fdb175117ea1861b8927de4884286a636c3446
SHA2565075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768
SHA5129841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Enc.exeMD5
087bc808101d91ccff873cf7f64d6105
SHA182fdb175117ea1861b8927de4884286a636c3446
SHA2565075af9951da01032aeda1dbbf3e4fa85a2e0a7c30eea47bb4743254455d6768
SHA5129841aae5cfa65651652b6195987704f2f0773dd729e87be1b5e81fd56ee28f0e2f538e6d15d99e859886be4493e97412387c29ea6f07a14faa8e713058140443
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXEMD5
47e96ccf6691d77758d5f2f1bcd330a8
SHA106054bbfafebfced7940e31e39c2fb6da459a141
SHA2560c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85
SHA512104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PGDOY8~1.EXEMD5
47e96ccf6691d77758d5f2f1bcd330a8
SHA106054bbfafebfced7940e31e39c2fb6da459a141
SHA2560c250147c9ee8f6fce6ba6cc29d19654d084f908433976e19d6208090d218a85
SHA512104121b1c3b533d497f523ac38076dee925fcd5cdbd0b7814934e1de9d1177d77f747b273c1b3e5af87848f5a3036c70eb745ee0d405062dea1b061ad6be49ef
-
memory/556-87-0x0000000000000000-mapping.dmp
-
memory/1040-63-0x000007FEEEBD0000-0x000007FEEFC66000-memory.dmpFilesize
16.6MB
-
memory/1040-58-0x0000000000000000-mapping.dmp
-
memory/1040-61-0x0000000000BE0000-0x0000000000BE2000-memory.dmpFilesize
8KB
-
memory/1040-62-0x000007FEF2EB0000-0x000007FEF3D3F000-memory.dmpFilesize
14.6MB
-
memory/1492-80-0x0000000000000000-mapping.dmp
-
memory/1492-81-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/1524-55-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1664-78-0x00000000003D0000-0x000000000043B000-memory.dmpFilesize
428KB
-
memory/1664-76-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/1664-68-0x0000000000000000-mapping.dmp
-
memory/1664-79-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1664-84-0x0000000004CE2000-0x0000000004CE3000-memory.dmpFilesize
4KB
-
memory/1664-83-0x0000000004CE1000-0x0000000004CE2000-memory.dmpFilesize
4KB
-
memory/1664-85-0x0000000004CE7000-0x0000000004CF8000-memory.dmpFilesize
68KB
-
memory/1724-86-0x0000000000000000-mapping.dmp
-
memory/1924-73-0x000007FEEDB30000-0x000007FEEEBC6000-memory.dmpFilesize
16.6MB
-
memory/1924-64-0x0000000000000000-mapping.dmp
-
memory/1924-82-0x00000000022F6000-0x0000000002315000-memory.dmpFilesize
124KB
-
memory/1924-70-0x00000000022F0000-0x00000000022F2000-memory.dmpFilesize
8KB
-
memory/1924-69-0x000007FEF2510000-0x000007FEF339F000-memory.dmpFilesize
14.6MB