Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 22:11
General
-
Target
tmp/570e1dd9-aa39-41d6-9a37-1a1ff27b803b_ra4.exe
-
Size
8.4MB
-
MD5
fc878a1e87addcfc819a738f2f4b58f0
-
SHA1
3fe62a9844037951adda9aab5ce952b941033288
-
SHA256
e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f
-
SHA512
71da98d1086e4a8754d03592266e513e27a8ec4b8e252a7ca24a9278cd8eb0ed61d062a9a1b8f6b3b158c6f2b3465a1088e5b415feabf95a88f00d677ddd06e9
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 3 IoCs
-
Executes dropped EXE 7 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\570e1dd9-aa39-41d6-9a37-1a1ff27b803b_ra4.exe"C:\Users\Admin\AppData\Local\Temp\tmp\570e1dd9-aa39-41d6-9a37-1a1ff27b803b_ra4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ra2.exe"C:\Users\Admin\AppData\Local\Temp\ra2.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ra2.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ra2.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Client.exe"C:\Users\Admin\Client.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 54⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 14⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "servies" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "servies" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exeC:\Users\Admin\AppData\Roaming\Microsoft\servies.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"5⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe kikgvzdagtfalr0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAYZEBsbMhk19a7AHFG2E7AaoXpwGgnL9qfF4ckLxCoO5fPm2jEdfVVBnDTVsKcr78bsf+FJAiv9UkqD3PHA/InOiEAYhRW2/oAEFHfXMVdkjhaWKsg2Ui/VNDlZrjEfnNbtHmDzkUQ230hBNYh7ZxfvuOTeg8dkgkyXdOQwbhwsJPq28iQfFX1PueXdORkCf4VucZx9baeD4MEWeJktSkHVOynOvy7XJ6mNKXnfO/doHlqoNXzZ9yBJS+rgA0257kMWTO+mq/iSyuLLOlHufNdxCuaooAte42l8WasUHsqGcVky0tLDJI0vRieQM7RiXxpnGFfsCsd7THmjaH/w72d3yTFK/O26HmnrQqmsgAIYO6eidmlIq4VnrnNaUF02+EUeXXUC+XLSypGiOPZt/u2qjQSEo2JnfQG/1t76Y5UmvcdiThqoLnxJ0iX0LglGcPw3+/OmvYZC29fJYqJidc6CGf6nKuThpimDlMir2QU69LNxGOE1rkpFoyAWPXAN4T+Cg9ybqrJ+tbpIJQe9UPCQ==5⤵
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Client.exeC:\Users\Admin\Client.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Client.exeC:\Users\Admin\Client.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Client.exe.logMD5
68fd23becbb886946c7fd350fa5efeba
SHA169cf312bf69233ec457b9ae4ce0ab4d092669e0b
SHA256bc0c4509c74a57c5aa7260470b2b798157884b2f9072303e9fbc1e5ebbe18c14
SHA51256e947f03c677e9f5dfa863c1b45721eff492f44d290ad5224a46b8623de5cf3fd56b4c04659c48b9342afb4061fea072992226b009a0b0d3bd67c9b3044b926
-
C:\Users\Admin\AppData\Local\Temp\Build.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\AppData\Local\Temp\Build.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\AppData\Local\Temp\ra2.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\AppData\Local\Temp\ra2.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
5aff6f89f1a58c1f48873b39a6602005
SHA166c97937cf6b99ca8fa500c1345d6675061c0615
SHA2560f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158
SHA512e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
5aff6f89f1a58c1f48873b39a6602005
SHA166c97937cf6b99ca8fa500c1345d6675061c0615
SHA2560f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158
SHA512e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600
-
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
memory/344-162-0x0000000000000000-mapping.dmp
-
memory/1196-134-0x0000000000000000-mapping.dmp
-
memory/1200-161-0x0000000000000000-mapping.dmp
-
memory/1300-170-0x0000000000000000-mapping.dmp
-
memory/1352-191-0x0000000000000000-mapping.dmp
-
memory/1560-182-0x0000000002DC6000-0x0000000002DC7000-memory.dmpFilesize
4KB
-
memory/1560-181-0x0000000002DC5000-0x0000000002DC6000-memory.dmpFilesize
4KB
-
memory/1560-175-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/1560-180-0x0000000002DC3000-0x0000000002DC5000-memory.dmpFilesize
8KB
-
memory/1604-135-0x0000000000000000-mapping.dmp
-
memory/1668-171-0x0000000000000000-mapping.dmp
-
memory/1912-136-0x0000000000000000-mapping.dmp
-
memory/2104-140-0x00007FF78D280000-0x00007FF78D281000-memory.dmpFilesize
4KB
-
memory/2104-137-0x0000000000000000-mapping.dmp
-
memory/2104-148-0x00000000222B0000-0x00000000222B2000-memory.dmpFilesize
8KB
-
memory/2476-163-0x0000000000000000-mapping.dmp
-
memory/2532-189-0x0000000000000000-mapping.dmp
-
memory/2656-160-0x0000000000000000-mapping.dmp
-
memory/3024-118-0x0000000000000000-mapping.dmp
-
memory/3024-126-0x00000000223F0000-0x00000000223F2000-memory.dmpFilesize
8KB
-
memory/3024-122-0x00007FF6F2E50000-0x00007FF6F2E51000-memory.dmpFilesize
4KB
-
memory/3024-124-0x0000000009610000-0x0000000009611000-memory.dmpFilesize
4KB
-
memory/3068-179-0x0000000000000000-mapping.dmp
-
memory/3728-177-0x0000000000000000-mapping.dmp
-
memory/3736-178-0x0000000000000000-mapping.dmp
-
memory/3784-187-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/3784-193-0x0000000002625000-0x0000000002626000-memory.dmpFilesize
4KB
-
memory/3784-192-0x0000000002623000-0x0000000002625000-memory.dmpFilesize
8KB
-
memory/3816-130-0x0000000000000000-mapping.dmp
-
memory/3824-183-0x0000000000000000-mapping.dmp
-
memory/3920-131-0x0000000000000000-mapping.dmp
-
memory/3960-176-0x0000000000000000-mapping.dmp
-
memory/4132-132-0x0000000000C13000-0x0000000000C15000-memory.dmpFilesize
8KB
-
memory/4132-133-0x0000000000C15000-0x0000000000C16000-memory.dmpFilesize
4KB
-
memory/4132-115-0x0000000000000000-mapping.dmp
-
memory/4132-121-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/4132-150-0x0000000000C16000-0x0000000000C17000-memory.dmpFilesize
4KB
-
memory/4252-125-0x0000000000000000-mapping.dmp
-
memory/4344-129-0x0000000000000000-mapping.dmp
-
memory/4388-127-0x0000000000000000-mapping.dmp
-
memory/4416-190-0x0000000000000000-mapping.dmp
-
memory/4440-128-0x0000000000000000-mapping.dmp
-
memory/4460-184-0x0000000000000000-mapping.dmp
-
memory/4512-188-0x0000000000000000-mapping.dmp
-
memory/4876-172-0x0000000001100000-0x000000000124A000-memory.dmpFilesize
1.3MB
-
memory/4876-164-0x0000000001100000-0x000000000124A000-memory.dmpFilesize
1.3MB
-
memory/4876-151-0x0000000000000000-mapping.dmp
-
memory/4876-158-0x0000000001100000-0x000000000124A000-memory.dmpFilesize
1.3MB
-
memory/4876-167-0x0000000001100000-0x000000000124A000-memory.dmpFilesize
1.3MB
-
memory/4904-166-0x0000000000860000-0x0000000000880000-memory.dmpFilesize
128KB
-
memory/4904-165-0x0000000000810000-0x0000000000812000-memory.dmpFilesize
8KB
-
memory/4904-173-0x0000000003580000-0x00000000035A0000-memory.dmpFilesize
128KB
-
memory/4904-159-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/4904-168-0x0000000000810000-0x0000000000812000-memory.dmpFilesize
8KB
-
memory/4904-156-0x0000000000810000-0x0000000000812000-memory.dmpFilesize
8KB
-
memory/4904-157-0x0000000000810000-0x0000000000812000-memory.dmpFilesize
8KB
-
memory/4904-155-0x0000000140958000-mapping.dmp
-
memory/4904-154-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/4904-169-0x0000000003540000-0x0000000003560000-memory.dmpFilesize
128KB
-
memory/4976-149-0x000000001B150000-0x000000001B152000-memory.dmpFilesize
8KB
-
memory/4976-146-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/4976-143-0x0000000000000000-mapping.dmp