Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-12-2021 18:01
General
-
Target
88019B018015F33C8CA9290A531027E90EAE517F6B590.exe
-
Size
13.6MB
-
MD5
2821b719af8d6e8a54926a0536c52feb
-
SHA1
ec3013696893908ec7a726325da37bbf22c04eee
-
SHA256
88019b018015f33c8ca9290a531027e90eae517f6b590fb1711de81ff222ed98
-
SHA512
ffb33b3a9118daac53b7ccebb3424affa694123d7b4e8ba5281a387b1d669dfb0cb9e5e321d1d970e0693072d42944861570f3b31cde20b0e542a5ae96b648a6
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 5 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
autoit_exe 11 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88019B018015F33C8CA9290A531027E90EAE517F6B590.exe"C:\Users\Admin\AppData\Local\Temp\88019B018015F33C8CA9290A531027E90EAE517F6B590.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exe"C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Controlled.exe"C:\Users\Admin\AppData\Local\Temp\Controlled.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "%appdata%"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Lost.exe"C:\Users\Admin\AppData\Local\Temp\Lost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe" "Microsoft OneDrive.exe" ENABLE5⤵
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Controlled.exeMD5
bac34ccafe73bb8ac9fc2d603e8fa7f5
SHA18a5c1dfca71d0427c05aecd1cc51bfea4d115380
SHA2563f2cc117aaca845072bf07291d7de05f2c3f1d6d35acefde2db8de1bcff1b5b9
SHA51216d5e260a13841731d57938cc89301ec17ad4c15fa461861888a9bdc895b599860b53e97c440ecea2519653cd398ca3b7c499b90014f96059762357c0d8b102f
-
C:\Users\Admin\AppData\Local\Temp\Controlled.exeMD5
bac34ccafe73bb8ac9fc2d603e8fa7f5
SHA18a5c1dfca71d0427c05aecd1cc51bfea4d115380
SHA2563f2cc117aaca845072bf07291d7de05f2c3f1d6d35acefde2db8de1bcff1b5b9
SHA51216d5e260a13841731d57938cc89301ec17ad4c15fa461861888a9bdc895b599860b53e97c440ecea2519653cd398ca3b7c499b90014f96059762357c0d8b102f
-
C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exeMD5
7c201b8ea0371c471d14bc58a1a49250
SHA10bdeffc5d2f65177d13a75f577ca7280a6adbb45
SHA25654005254ae6e1a05f068974760305ce6df3775fa00e64273849c02c4488a6e81
SHA512d0fff986dc5fbb1be8dd419a39279a7ad6c3e0b21a4a91b52db4198e66bfce4f3e4eb7185c3cf16027fced90a3084d9d37baa10515186218acc29a6cd624d724
-
C:\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exeMD5
7c201b8ea0371c471d14bc58a1a49250
SHA10bdeffc5d2f65177d13a75f577ca7280a6adbb45
SHA25654005254ae6e1a05f068974760305ce6df3775fa00e64273849c02c4488a6e81
SHA512d0fff986dc5fbb1be8dd419a39279a7ad6c3e0b21a4a91b52db4198e66bfce4f3e4eb7185c3cf16027fced90a3084d9d37baa10515186218acc29a6cd624d724
-
C:\Users\Admin\AppData\Local\Temp\Lost.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Lost.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exeMD5
f2b6ef2a2ee8fe7819029dc06a69e7ba
SHA148a2429e9b17d91ff158dfdf896e62874c66bec7
SHA2560774dc41d6a7956a9e551e52db40944eed0362f60067faf7f08920e062df7108
SHA512cd6b22d2b82555a5db0bc00aa18f7195cd796e6f93036a13fcbd1b2eba981a83ef4247fd1836f703b4a900f375f93ecdac9c31a91ec6acfbf89f66653adb5ed9
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exeMD5
f2b6ef2a2ee8fe7819029dc06a69e7ba
SHA148a2429e9b17d91ff158dfdf896e62874c66bec7
SHA2560774dc41d6a7956a9e551e52db40944eed0362f60067faf7f08920e062df7108
SHA512cd6b22d2b82555a5db0bc00aa18f7195cd796e6f93036a13fcbd1b2eba981a83ef4247fd1836f703b4a900f375f93ecdac9c31a91ec6acfbf89f66653adb5ed9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
59c9acbba551c250fab194ea36f98676
SHA13a86a7ab20796fc850a548a7ca04bded01f3ab41
SHA256659ed577e819db41d86219443803283f2fe4492d41485fa668e258ca7165d403
SHA51239b4704c9fafea4f3f54e376c28c6d4e5b6b3d3ca1a107f79b8bd06f7bf4fab9622e46a8bcecf78425e63c9c85a01e87ee34ae7c55a309bac5de6ef3be891651
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
f2ee607e5698500bd269de0dc1c48d14
SHA15fe79825b8f02e135d2efe79ff75e2700d2beb7f
SHA2560f2d1100e611c786df28feb31ce5a9ad657d692f212f884665bb5036b7f4e066
SHA5124b9c6ea419106d3781c72be92c5311c2b4e70fcea11ddaaab2769550c6e6f88a3e07caafd7a7b69dffede45c8157d5d71aedff6cef1cf4a2c6a1ac997b211557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
f2ee607e5698500bd269de0dc1c48d14
SHA15fe79825b8f02e135d2efe79ff75e2700d2beb7f
SHA2560f2d1100e611c786df28feb31ce5a9ad657d692f212f884665bb5036b7f4e066
SHA5124b9c6ea419106d3781c72be92c5311c2b4e70fcea11ddaaab2769550c6e6f88a3e07caafd7a7b69dffede45c8157d5d71aedff6cef1cf4a2c6a1ac997b211557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
f2ee607e5698500bd269de0dc1c48d14
SHA15fe79825b8f02e135d2efe79ff75e2700d2beb7f
SHA2560f2d1100e611c786df28feb31ce5a9ad657d692f212f884665bb5036b7f4e066
SHA5124b9c6ea419106d3781c72be92c5311c2b4e70fcea11ddaaab2769550c6e6f88a3e07caafd7a7b69dffede45c8157d5d71aedff6cef1cf4a2c6a1ac997b211557
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
f2ee607e5698500bd269de0dc1c48d14
SHA15fe79825b8f02e135d2efe79ff75e2700d2beb7f
SHA2560f2d1100e611c786df28feb31ce5a9ad657d692f212f884665bb5036b7f4e066
SHA5124b9c6ea419106d3781c72be92c5311c2b4e70fcea11ddaaab2769550c6e6f88a3e07caafd7a7b69dffede45c8157d5d71aedff6cef1cf4a2c6a1ac997b211557
-
\Users\Admin\AppData\Local\Temp\Controlled.exeMD5
bac34ccafe73bb8ac9fc2d603e8fa7f5
SHA18a5c1dfca71d0427c05aecd1cc51bfea4d115380
SHA2563f2cc117aaca845072bf07291d7de05f2c3f1d6d35acefde2db8de1bcff1b5b9
SHA51216d5e260a13841731d57938cc89301ec17ad4c15fa461861888a9bdc895b599860b53e97c440ecea2519653cd398ca3b7c499b90014f96059762357c0d8b102f
-
\Users\Admin\AppData\Local\Temp\Do you want to allow this app to make changes to your device.exeMD5
7c201b8ea0371c471d14bc58a1a49250
SHA10bdeffc5d2f65177d13a75f577ca7280a6adbb45
SHA25654005254ae6e1a05f068974760305ce6df3775fa00e64273849c02c4488a6e81
SHA512d0fff986dc5fbb1be8dd419a39279a7ad6c3e0b21a4a91b52db4198e66bfce4f3e4eb7185c3cf16027fced90a3084d9d37baa10515186218acc29a6cd624d724
-
\Users\Admin\AppData\Local\Temp\Lost.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exeMD5
d682f703d4b78ad2c57d3fc91e40df9b
SHA149dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA25672611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1
-
\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exeMD5
f2b6ef2a2ee8fe7819029dc06a69e7ba
SHA148a2429e9b17d91ff158dfdf896e62874c66bec7
SHA2560774dc41d6a7956a9e551e52db40944eed0362f60067faf7f08920e062df7108
SHA512cd6b22d2b82555a5db0bc00aa18f7195cd796e6f93036a13fcbd1b2eba981a83ef4247fd1836f703b4a900f375f93ecdac9c31a91ec6acfbf89f66653adb5ed9
-
memory/796-56-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/796-55-0x0000000000930000-0x00000000016CA000-memory.dmpFilesize
13.6MB
-
memory/796-57-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/796-54-0x0000000000930000-0x00000000016CA000-memory.dmpFilesize
13.6MB
-
memory/880-116-0x0000000000000000-mapping.dmp
-
memory/1068-111-0x0000000000000000-mapping.dmp
-
memory/1068-115-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/1328-63-0x00000000003C0000-0x00000000004C6000-memory.dmpFilesize
1.0MB
-
memory/1328-62-0x00000000003C0000-0x00000000004C6000-memory.dmpFilesize
1.0MB
-
memory/1328-65-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1328-59-0x0000000000000000-mapping.dmp
-
memory/1416-125-0x0000000001F50000-0x0000000001F51000-memory.dmpFilesize
4KB
-
memory/1416-118-0x0000000000000000-mapping.dmp
-
memory/1416-126-0x0000000001F51000-0x0000000001F52000-memory.dmpFilesize
4KB
-
memory/1416-127-0x0000000001F52000-0x0000000001F54000-memory.dmpFilesize
8KB
-
memory/1472-67-0x0000000000000000-mapping.dmp
-
memory/1484-71-0x0000000000000000-mapping.dmp
-
memory/1544-117-0x0000000000000000-mapping.dmp
-
memory/1620-122-0x0000000000000000-mapping.dmp
-
memory/1644-108-0x000000001B872000-0x000000001B873000-memory.dmpFilesize
4KB
-
memory/1644-109-0x000000001B877000-0x000000001B896000-memory.dmpFilesize
124KB
-
memory/1644-73-0x0000000000000000-mapping.dmp
-
memory/1644-103-0x000000001CFD0000-0x000000001DF3E000-memory.dmpFilesize
15.4MB
-
memory/1644-82-0x00000000003E0000-0x000000000101E000-memory.dmpFilesize
12.2MB
-
memory/1644-87-0x000000001B870000-0x000000001B872000-memory.dmpFilesize
8KB
-
memory/1752-95-0x0000000000000000-mapping.dmp
-
memory/1752-104-0x0000000002400000-0x000000000304A000-memory.dmpFilesize
12.3MB
-
memory/1752-107-0x0000000002400000-0x000000000304A000-memory.dmpFilesize
12.3MB
-
memory/1896-98-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1896-90-0x0000000000000000-mapping.dmp
-
memory/1896-99-0x0000000002381000-0x0000000002382000-memory.dmpFilesize
4KB
-
memory/1896-101-0x0000000002382000-0x0000000002384000-memory.dmpFilesize
8KB
-
memory/1904-89-0x0000000000000000-mapping.dmp
-
memory/2016-106-0x00000000023C0000-0x000000000300A000-memory.dmpFilesize
12.3MB
-
memory/2016-102-0x00000000023C0000-0x000000000300A000-memory.dmpFilesize
12.3MB
-
memory/2016-93-0x0000000000000000-mapping.dmp
-
memory/2016-105-0x00000000023C0000-0x000000000300A000-memory.dmpFilesize
12.3MB
-
memory/2024-88-0x0000000002472000-0x0000000002474000-memory.dmpFilesize
8KB
-
memory/2024-85-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/2024-76-0x0000000000000000-mapping.dmp
-
memory/2024-86-0x0000000002471000-0x0000000002472000-memory.dmpFilesize
4KB
-
memory/2032-84-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/2032-79-0x0000000000000000-mapping.dmp