Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-01-2022 06:35

General

  • Target

    7256a118217803dea652821dd232e8996e49759302283574e13fca80a0d5712e.exe

  • Size

    272KB

  • MD5

    932fbbeb7fe9a994417e41240d0177d9

  • SHA1

    d6165f4bc59dceeb6bcaf873258d8b0f0a664f74

  • SHA256

    7256a118217803dea652821dd232e8996e49759302283574e13fca80a0d5712e

  • SHA512

    a2c2a39a2c7c8129e79aa8aceb52c63d8c5345ed54b7355483611778dea7d58a4661e6abc1ea54f6700bc2a64760bfc3f4ccbbfaf911c2f26bff9a8c825100d8

Score
10/10

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7256a118217803dea652821dd232e8996e49759302283574e13fca80a0d5712e.exe
    "C:\Users\Admin\AppData\Local\Temp\7256a118217803dea652821dd232e8996e49759302283574e13fca80a0d5712e.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\SYSTEM32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7256a118217803dea652821dd232e8996e49759302283574e13fca80a0d5712e.exe" "7256a118217803dea652821dd232e8996e49759302283574e13fca80a0d5712e.exe" ENABLE
      2⤵
        PID:2008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/676-118-0x0000000001330000-0x0000000001332000-memory.dmp

      Filesize

      8KB