e74eff68f4d855b3156a397f504cfae911707ead7faf77562973dde4411b4c71

Analysis

Target

porn.exe
Size

37KB
MD5

a0206c088475dfd1f4704cd44f06c36f
SHA1

caf554c3f8b74be701cda27d1ef472861a0e8955
SHA256

a6a5d9c990f65662ccf6888c02135c6f4e267ccd0fb1e5abbbf97fa0795bf54e
SHA512

ff6717f71fed88e5cae6dac48b6aa5b4ccb2fb20e6ae0850462d2512b2e72d6fbc78900fadc4d06a08dfaf14ae397b6654721ebee50b570764ae06191bdd610a

Score

10^/10

evasion suricata

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3600 netsh.exe

pid	process
3600	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

porn.exe

description	pid	process
Token: SeDebugPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe
Token: 33	2672	porn.exe
Token: SeIncBasePriorityPrivilege	2672	porn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

porn.exe

description	pid	process	target process
PID 2672 wrote to memory of 3600	2672	porn.exe	netsh.exe
PID 2672 wrote to memory of 3600	2672	porn.exe	netsh.exe
PID 2672 wrote to memory of 3600	2672	porn.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\porn.exe" "porn.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3600

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/2672-130-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2672-132-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3600-131-0x0000000000000000-mapping.dmp

Download