Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-05-2022 14:37

General

  • Target

    a5b3dd8d83d63498c52d938f63eb61bf.exe

  • Size

    37KB

  • MD5

    a5b3dd8d83d63498c52d938f63eb61bf

  • SHA1

    6a07038608774231386f436ba4ca7063abf28078

  • SHA256

    45bb2795caac14d2915644b8c6aed568a8681dd12cab779e5bb535cc03a95a34

  • SHA512

    0e75a66c7366a6e0d5b05d45c453fab73c37e9376c2865ccc0741d7323d6568410e5a20e2d0c16801995028b0173edcb8ee58653b9874a3a351df6167666d745

Malware Config

Signatures

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5b3dd8d83d63498c52d938f63eb61bf.exe
    "C:\Users\Admin\AppData\Local\Temp\a5b3dd8d83d63498c52d938f63eb61bf.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a5b3dd8d83d63498c52d938f63eb61bf.exe" "a5b3dd8d83d63498c52d938f63eb61bf.exe" ENABLE
      2⤵
        PID:4144

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/740-130-0x0000000075300000-0x00000000758B1000-memory.dmp

      Filesize

      5.7MB

    • memory/4144-131-0x0000000000000000-mapping.dmp