Analysis
-
max time kernel
104s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 17:08
Behavioral task
behavioral1
Sample
bD15.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bD15.exe
Resource
win10v2004-20220414-en
General
-
Target
bD15.exe
-
Size
36KB
-
MD5
b73984062282fbe1c09bb14415159a39
-
SHA1
106709e5611ba9bfae948c55c8ba1bd3195bf4f5
-
SHA256
b873c4fa6ef7f4d56d1f347bd88468fed658fb77b948d50a6f1f719cbc4b781f
-
SHA512
8e905f8316adf5624b5ee33a73c736c4721c81e04107a7145e871c3430b35fdb6687edd4a82f9a6b464ccee3824de1dbac9ecb330418ec6fc6d5236f353a3629
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Drops startup file 2 IoCs
Processes:
bD15.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.lnk bD15.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.lnk bD15.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bD15.exedescription pid process Token: SeDebugPrivilege 3624 bD15.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bD15.execmd.exedescription pid process target process PID 3624 wrote to memory of 2152 3624 bD15.exe cmd.exe PID 3624 wrote to memory of 2152 3624 bD15.exe cmd.exe PID 2152 wrote to memory of 1468 2152 cmd.exe PING.EXE PID 2152 wrote to memory of 1468 2152 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bD15.exe"C:\Users\Admin\AppData\Local\Temp\bD15.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 0 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\bD15.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\PING.EXEping 0 -n 33⤵
- Runs ping.exe
PID:1468