Analysis
-
max time kernel
137s -
max time network
243s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-10-2022 22:22
General
-
Target
a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
-
Size
711KB
-
MD5
61ad9e5151fa5909d9e5ef8881b15870
-
SHA1
e6853896639f59c4fadc69fa5e025f50c5daab52
-
SHA256
a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc
-
SHA512
a29ee9b434f148c3c43c0121e945493f6c86504019e9dfad5887a211bb561200674ddbf17d42ea1103e209b69045e872dd020f1dfa940c0c22522a2a60c3edd1
-
SSDEEP
12288:jhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4agIe4wPx/K:pRmJkcoQricOIQxiZY1iagIhe/K
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SIZFUEWU.txtFilesize
597B
MD5b99209dc74b6f6da0cf1f3a33b32063b
SHA12a802d65acced93c2c801aa6d7fa5ee00de044fb
SHA25650a20a22744bafc2055450cbd53ec1f0ce4e6334ad0ae1a4fe13e10ec3fc6fd1
SHA512da97bf67a2bb8f716da043c0c81f713b6016a02f68158f9fbdca6f7a8434cc308bf4133717a5b8aea86795ae49d8de0d235e4ee8103bec728df7c3467689b907
-
memory/1584-55-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1584-56-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1584-58-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1584-59-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1584-60-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1584-61-0x000000000040890E-mapping.dmp
-
memory/1584-64-0x0000000000402000-0x0000000000408A00-memory.dmpFilesize
26KB
-
memory/1584-63-0x0000000000402000-0x0000000000408A00-memory.dmpFilesize
26KB
-
memory/1968-54-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB