Analysis
-
max time kernel
152s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:11
Static task
static1
Behavioral task
behavioral1
Sample
2cd2d3823bacb5591d922756a072b4e934d42a471fce9fe2f5b2fd05fac0c660.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2cd2d3823bacb5591d922756a072b4e934d42a471fce9fe2f5b2fd05fac0c660.ps1
Resource
win10v2004-20220414-en
General
-
Target
2cd2d3823bacb5591d922756a072b4e934d42a471fce9fe2f5b2fd05fac0c660.ps1
-
Size
360B
-
MD5
cfd1923ef62eda51c93b8b3599941acd
-
SHA1
ec8712a15560aa43ba4710ea574f5443ae5c5c5c
-
SHA256
2cd2d3823bacb5591d922756a072b4e934d42a471fce9fe2f5b2fd05fac0c660
-
SHA512
043f86e5448c4bcc941da02471797d3b863644502bdc36a9c97ab693b888eee2fafcf35e5ffbdce1afcaaf1b77869b50c49e49274ad7a0543b49a993d32ff5c6
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 12 IoCs
Processes:
powershell.exeflow pid process 4 1684 powershell.exe 7 1684 powershell.exe 8 1684 powershell.exe 9 1684 powershell.exe 10 1684 powershell.exe 11 1684 powershell.exe 12 1684 powershell.exe 13 1684 powershell.exe 16 1684 powershell.exe 17 1684 powershell.exe 19 1684 powershell.exe 20 1684 powershell.exe -
Modifies Windows Firewall 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1684 powershell.exe Token: 33 1684 powershell.exe Token: SeIncBasePriorityPrivilege 1684 powershell.exe Token: 33 1684 powershell.exe Token: SeIncBasePriorityPrivilege 1684 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1684 wrote to memory of 696 1684 powershell.exe netsh.exe PID 1684 wrote to memory of 696 1684 powershell.exe netsh.exe PID 1684 wrote to memory of 696 1684 powershell.exe netsh.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2cd2d3823bacb5591d922756a072b4e934d42a471fce9fe2f5b2fd05fac0c660.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/696-59-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x000007FEFC021000-0x000007FEFC023000-memory.dmpFilesize
8KB
-
memory/1684-55-0x000007FEF3B00000-0x000007FEF465D000-memory.dmpFilesize
11.4MB
-
memory/1684-56-0x0000000002544000-0x0000000002547000-memory.dmpFilesize
12KB
-
memory/1684-57-0x000000000254B000-0x000000000256A000-memory.dmpFilesize
124KB
-
memory/1684-58-0x000007FEEE120000-0x000007FEEF1B6000-memory.dmpFilesize
16.6MB