Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-06-2022 21:31
Behavioral task
behavioral1
Sample
porn.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
porn.exe
-
Size
37KB
-
MD5
a0206c088475dfd1f4704cd44f06c36f
-
SHA1
caf554c3f8b74be701cda27d1ef472861a0e8955
-
SHA256
a6a5d9c990f65662ccf6888c02135c6f4e267ccd0fb1e5abbbf97fa0795bf54e
-
SHA512
ff6717f71fed88e5cae6dac48b6aa5b4ccb2fb20e6ae0850462d2512b2e72d6fbc78900fadc4d06a08dfaf14ae397b6654721ebee50b570764ae06191bdd610a
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
porn.exedescription pid process Token: SeDebugPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe Token: 33 1088 porn.exe Token: SeIncBasePriorityPrivilege 1088 porn.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
porn.exedescription pid process target process PID 1088 wrote to memory of 808 1088 porn.exe netsh.exe PID 1088 wrote to memory of 808 1088 porn.exe netsh.exe PID 1088 wrote to memory of 808 1088 porn.exe netsh.exe PID 1088 wrote to memory of 808 1088 porn.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\porn.exe"C:\Users\Admin\AppData\Local\Temp\porn.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\porn.exe" "porn.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-56-0x0000000000000000-mapping.dmp
-
memory/1088-54-0x0000000075D21000-0x0000000075D23000-memory.dmpFilesize
8KB
-
memory/1088-55-0x00000000742D0000-0x000000007487B000-memory.dmpFilesize
5.7MB
-
memory/1088-58-0x00000000742D0000-0x000000007487B000-memory.dmpFilesize
5.7MB