Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13-06-2022 21:31
Behavioral task
behavioral1
Sample
porn.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
porn.exe
-
Size
37KB
-
MD5
a0206c088475dfd1f4704cd44f06c36f
-
SHA1
caf554c3f8b74be701cda27d1ef472861a0e8955
-
SHA256
a6a5d9c990f65662ccf6888c02135c6f4e267ccd0fb1e5abbbf97fa0795bf54e
-
SHA512
ff6717f71fed88e5cae6dac48b6aa5b4ccb2fb20e6ae0850462d2512b2e72d6fbc78900fadc4d06a08dfaf14ae397b6654721ebee50b570764ae06191bdd610a
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
porn.exedescription pid process Token: SeDebugPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe Token: 33 2672 porn.exe Token: SeIncBasePriorityPrivilege 2672 porn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
porn.exedescription pid process target process PID 2672 wrote to memory of 3600 2672 porn.exe netsh.exe PID 2672 wrote to memory of 3600 2672 porn.exe netsh.exe PID 2672 wrote to memory of 3600 2672 porn.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\porn.exe"C:\Users\Admin\AppData\Local\Temp\porn.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\porn.exe" "porn.exe" ENABLE2⤵
- Modifies Windows Firewall