Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 15:26
Behavioral task
behavioral1
Sample
2978ed952b83e0992f04bd692e344720.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
2978ed952b83e0992f04bd692e344720.exe
-
Size
37KB
-
MD5
2978ed952b83e0992f04bd692e344720
-
SHA1
5dedd79943ac2dcf8a67a3aefc31c95a92dae479
-
SHA256
e8d1c6bfe908c18008df4d62237f4f4aecd47113870c5b12f197f8296c0316d7
-
SHA512
032cfb62a13b73593378679617eeb0ba42878d4543e6e1eb866821112ff24bba5046e0bb01afd3edbd970057b93bfdb40290f8d8c0a482a65caafeb35ea0435a
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
2978ed952b83e0992f04bd692e344720.exedescription pid process Token: SeDebugPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe Token: 33 2336 2978ed952b83e0992f04bd692e344720.exe Token: SeIncBasePriorityPrivilege 2336 2978ed952b83e0992f04bd692e344720.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2978ed952b83e0992f04bd692e344720.exedescription pid process target process PID 2336 wrote to memory of 3172 2336 2978ed952b83e0992f04bd692e344720.exe netsh.exe PID 2336 wrote to memory of 3172 2336 2978ed952b83e0992f04bd692e344720.exe netsh.exe PID 2336 wrote to memory of 3172 2336 2978ed952b83e0992f04bd692e344720.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2978ed952b83e0992f04bd692e344720.exe"C:\Users\Admin\AppData\Local\Temp\2978ed952b83e0992f04bd692e344720.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2978ed952b83e0992f04bd692e344720.exe" "2978ed952b83e0992f04bd692e344720.exe" ENABLE2⤵
- Modifies Windows Firewall