Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-11-2021 18:37
Behavioral task
behavioral1
Sample
acc62c054d469dbe939843e3fbcc5729.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
acc62c054d469dbe939843e3fbcc5729.exe
-
Size
37KB
-
MD5
acc62c054d469dbe939843e3fbcc5729
-
SHA1
5c4fa46477f91209fb64130a5051dd2e144f46af
-
SHA256
8ec51c13cf8a2342bdd735e69a10f3dfc2f2fe5b64d4b1c0f1573afcdde5b123
-
SHA512
bc1e5b05a71c0e624f6bdffa7b2a56693ce5a1dbc050713549ef6dc239dba3bcdfcbf67a588d3bbe62406bb000541873d4ef76481a43175d46f530dcc2a3afe0
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
acc62c054d469dbe939843e3fbcc5729.exepid process 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe 3792 acc62c054d469dbe939843e3fbcc5729.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
acc62c054d469dbe939843e3fbcc5729.exepid process 3792 acc62c054d469dbe939843e3fbcc5729.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
acc62c054d469dbe939843e3fbcc5729.exedescription pid process Token: SeDebugPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: 33 3792 acc62c054d469dbe939843e3fbcc5729.exe Token: SeIncBasePriorityPrivilege 3792 acc62c054d469dbe939843e3fbcc5729.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
acc62c054d469dbe939843e3fbcc5729.exedescription pid process target process PID 3792 wrote to memory of 4040 3792 acc62c054d469dbe939843e3fbcc5729.exe netsh.exe PID 3792 wrote to memory of 4040 3792 acc62c054d469dbe939843e3fbcc5729.exe netsh.exe PID 3792 wrote to memory of 4040 3792 acc62c054d469dbe939843e3fbcc5729.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acc62c054d469dbe939843e3fbcc5729.exe"C:\Users\Admin\AppData\Local\Temp\acc62c054d469dbe939843e3fbcc5729.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\acc62c054d469dbe939843e3fbcc5729.exe" "acc62c054d469dbe939843e3fbcc5729.exe" ENABLE2⤵