Analysis

  • max time kernel
    154s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 01:47

General

  • Target

    f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe

  • Size

    1.1MB

  • MD5

    6d2b7843f0e9168704d4c71108cfdc50

  • SHA1

    3fb8ed1bc9eb790af15c1f18486ac5461a44ed71

  • SHA256

    f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

  • SHA512

    56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
    "C:\Users\Admin\AppData\Local\Temp\f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Roaming\Data.exe
      "C:\Users\Admin\AppData\Roaming\Data.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Data.exe" "Data.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Data.exe
    Filesize

    1.1MB

    MD5

    6d2b7843f0e9168704d4c71108cfdc50

    SHA1

    3fb8ed1bc9eb790af15c1f18486ac5461a44ed71

    SHA256

    f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

    SHA512

    56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0

  • C:\Users\Admin\AppData\Roaming\Data.exe
    Filesize

    1.1MB

    MD5

    6d2b7843f0e9168704d4c71108cfdc50

    SHA1

    3fb8ed1bc9eb790af15c1f18486ac5461a44ed71

    SHA256

    f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e

    SHA512

    56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0

  • memory/3112-142-0x0000000000000000-mapping.dmp
  • memory/4776-134-0x0000000005E40000-0x00000000063E4000-memory.dmp
    Filesize

    5.6MB

  • memory/4776-130-0x0000000000B20000-0x0000000000E9E000-memory.dmp
    Filesize

    3.5MB

  • memory/4776-133-0x00000000057F0000-0x000000000588C000-memory.dmp
    Filesize

    624KB

  • memory/4776-132-0x0000000000B20000-0x0000000000E9E000-memory.dmp
    Filesize

    3.5MB

  • memory/4776-138-0x0000000000B20000-0x0000000000E9E000-memory.dmp
    Filesize

    3.5MB

  • memory/4776-131-0x0000000000B20000-0x0000000000E9E000-memory.dmp
    Filesize

    3.5MB

  • memory/4964-135-0x0000000000000000-mapping.dmp
  • memory/4964-139-0x00000000007C0000-0x0000000000B3E000-memory.dmp
    Filesize

    3.5MB

  • memory/4964-140-0x00000000007C0000-0x0000000000B3E000-memory.dmp
    Filesize

    3.5MB

  • memory/4964-141-0x00000000007C0000-0x0000000000B3E000-memory.dmp
    Filesize

    3.5MB

  • memory/4964-143-0x00000000007C0000-0x0000000000B3E000-memory.dmp
    Filesize

    3.5MB

  • memory/4964-144-0x00000000058B0000-0x0000000005942000-memory.dmp
    Filesize

    584KB

  • memory/4964-145-0x0000000005820000-0x000000000582A000-memory.dmp
    Filesize

    40KB