3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

General

Target

0x0009000000014aef-55.exe
Size

37KB
MD5

36e59be3c751683fc142c0ebd8d6a71d
SHA1

1e9632a2173588f606e6a354cdcbeddc91ab2c78
SHA256

3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c
SHA512

e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Score

10^/10

evasion persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3276 netsh.exe

pid	process
3276	netsh.exe

Drops startup file 2 IoCs

Processes:

0x0009000000014aef-55.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe	0x0009000000014aef-55.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe	0x0009000000014aef-55.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0x0009000000014aef-55.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0x0009000000014aef-55.exe\" .."	0x0009000000014aef-55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0x0009000000014aef-55.exe\" .."	0x0009000000014aef-55.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0x0009000000014aef-55.exe

description	ioc	process
File created	C:\autorun.inf	0x0009000000014aef-55.exe
File opened for modification	C:\autorun.inf	0x0009000000014aef-55.exe
File created	D:\autorun.inf	0x0009000000014aef-55.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x0009000000014aef-55.exe

pid	process
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe
2548	0x0009000000014aef-55.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0x0009000000014aef-55.exe

pid process

2548 0x0009000000014aef-55.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

0x0009000000014aef-55.exe

description	pid	process
Token: SeDebugPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe
Token: 33	2548	0x0009000000014aef-55.exe
Token: SeIncBasePriorityPrivilege	2548	0x0009000000014aef-55.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0x0009000000014aef-55.exe

description	pid	process	target process
PID 2548 wrote to memory of 3276	2548	0x0009000000014aef-55.exe	netsh.exe
PID 2548 wrote to memory of 3276	2548	0x0009000000014aef-55.exe	netsh.exe
PID 2548 wrote to memory of 3276	2548	0x0009000000014aef-55.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0x0009000000014aef-55.exe
"C:\Users\Admin\AppData\Local\Temp\0x0009000000014aef-55.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0x0009000000014aef-55.exe" "0x0009000000014aef-55.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-130-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2548-132-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads