87ac8c78f79072416a0d38c7509602d28e367e990f31cbfaa667b59292391c99

General

Target

a359db2841e75ed24c3d39b7af55ea31.exe
Size

93KB
MD5

a359db2841e75ed24c3d39b7af55ea31
SHA1

db9b0ceb9ce3aca3403892f1b43e764891e3a047
SHA256

87ac8c78f79072416a0d38c7509602d28e367e990f31cbfaa667b59292391c99
SHA512

046d2048b43201fc6f739c7f5a29f98072cbe58a108e9d84354febc8cd402224be0525aab9c50fbe0893aa117b9172546f412c7ca13d58399b47a3aaabca5d67

Score

10^/10

evasion suricata

Malware Config

Signatures

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a359db2841e75ed24c3d39b7af55ea31.exe

pid process

1692 a359db2841e75ed24c3d39b7af55ea31.exe

pid	process
1692	a359db2841e75ed24c3d39b7af55ea31.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

a359db2841e75ed24c3d39b7af55ea31.exe

description	pid	process
Token: SeDebugPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: 33	1692	a359db2841e75ed24c3d39b7af55ea31.exe
Token: SeIncBasePriorityPrivilege	1692	a359db2841e75ed24c3d39b7af55ea31.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a359db2841e75ed24c3d39b7af55ea31.exe

description	pid	process	target process
PID 1692 wrote to memory of 524	1692	a359db2841e75ed24c3d39b7af55ea31.exe	netsh.exe
PID 1692 wrote to memory of 524	1692	a359db2841e75ed24c3d39b7af55ea31.exe	netsh.exe
PID 1692 wrote to memory of 524	1692	a359db2841e75ed24c3d39b7af55ea31.exe	netsh.exe
PID 1692 wrote to memory of 524	1692	a359db2841e75ed24c3d39b7af55ea31.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a359db2841e75ed24c3d39b7af55ea31.exe
"C:\Users\Admin\AppData\Local\Temp\a359db2841e75ed24c3d39b7af55ea31.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a359db2841e75ed24c3d39b7af55ea31.exe" "a359db2841e75ed24c3d39b7af55ea31.exe" ENABLE
2⤵
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-56-0x0000000000000000-mapping.dmp

Download
memory/1692-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1692-55-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing