Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:15
Behavioral task
behavioral1
Sample
5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
-
Size
31KB
-
MD5
e8c14a47cc53dd86138391651a09a4c7
-
SHA1
5794068854ce62958b24b58ed87d1b5aedc2fd9d
-
SHA256
5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad
-
SHA512
7c0244e3b29cd0a36ab7c1a80da6d9898e3bf72bfa6814f37d130a4f03129e2e0c1873594ba46f487a5fcf28a57a9fb43d66fe8b67d91e045fdece0bc41b186e
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exedescription pid process Token: SeDebugPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: 33 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe Token: SeIncBasePriorityPrivilege 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exedescription pid process target process PID 1932 wrote to memory of 4044 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe netsh.exe PID 1932 wrote to memory of 4044 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe netsh.exe PID 1932 wrote to memory of 4044 1932 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe"C:\Users\Admin\AppData\Local\Temp\5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe" "5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe" ENABLE2⤵PID:4044