Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-12-2021 23:02
Behavioral task
behavioral1
Sample
a6e5b75aa89f9057e0ab97d0064f9226.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
a6e5b75aa89f9057e0ab97d0064f9226.exe
-
Size
31KB
-
MD5
a6e5b75aa89f9057e0ab97d0064f9226
-
SHA1
563235fef327e1877822799f2a60c6309146e6e8
-
SHA256
97445a651bd56279e64a3f4bf79e454205e00bc84c7b500b0e69e30a93e85075
-
SHA512
6276c98823d774830b575a24a71c4f31d89ab14a3b9cc5df1aa19e79e5bd23500f3c9605acc7e00b15e7d126d9bd33cd45b4f290a0ccdf14c9fafa528bf2b7e4
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
a6e5b75aa89f9057e0ab97d0064f9226.exedescription pid process Token: SeDebugPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: 33 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe Token: SeIncBasePriorityPrivilege 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a6e5b75aa89f9057e0ab97d0064f9226.exedescription pid process target process PID 2420 wrote to memory of 3776 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe netsh.exe PID 2420 wrote to memory of 3776 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe netsh.exe PID 2420 wrote to memory of 3776 2420 a6e5b75aa89f9057e0ab97d0064f9226.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6e5b75aa89f9057e0ab97d0064f9226.exe"C:\Users\Admin\AppData\Local\Temp\a6e5b75aa89f9057e0ab97d0064f9226.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a6e5b75aa89f9057e0ab97d0064f9226.exe" "a6e5b75aa89f9057e0ab97d0064f9226.exe" ENABLE2⤵PID:3776