Analysis

  • max time kernel
    137s
  • max time network
    243s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 22:22

General

  • Target

    a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe

  • Size

    711KB

  • MD5

    61ad9e5151fa5909d9e5ef8881b15870

  • SHA1

    e6853896639f59c4fadc69fa5e025f50c5daab52

  • SHA256

    a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc

  • SHA512

    a29ee9b434f148c3c43c0121e945493f6c86504019e9dfad5887a211bb561200674ddbf17d42ea1103e209b69045e872dd020f1dfa940c0c22522a2a60c3edd1

  • SSDEEP

    12288:jhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4agIe4wPx/K:pRmJkcoQricOIQxiZY1iagIhe/K

Score
10/10

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings ⋅ 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 6 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
    "C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe
      "C:\Users\Admin\AppData\Local\Temp\a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe"
      Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a2ca2e6e2a347594ecaa90b1e380fd5ef6090968bcd4296ffc9b0f6d39c9c3dc.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
          Modifies Internet Explorer settings
          Suspicious use of SetWindowsHookEx
          PID:1884

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SIZFUEWU.txt
                        MD5

                        b99209dc74b6f6da0cf1f3a33b32063b

                        SHA1

                        2a802d65acced93c2c801aa6d7fa5ee00de044fb

                        SHA256

                        50a20a22744bafc2055450cbd53ec1f0ce4e6334ad0ae1a4fe13e10ec3fc6fd1

                        SHA512

                        da97bf67a2bb8f716da043c0c81f713b6016a02f68158f9fbdca6f7a8434cc308bf4133717a5b8aea86795ae49d8de0d235e4ee8103bec728df7c3467689b907

                      • memory/1584-55-0x0000000000400000-0x000000000040E000-memory.dmp
                      • memory/1584-56-0x0000000000400000-0x000000000040E000-memory.dmp
                      • memory/1584-58-0x0000000000400000-0x000000000040E000-memory.dmp
                      • memory/1584-59-0x0000000000400000-0x000000000040E000-memory.dmp
                      • memory/1584-60-0x0000000000400000-0x000000000040E000-memory.dmp
                      • memory/1584-61-0x000000000040890E-mapping.dmp
                      • memory/1584-64-0x0000000000402000-0x0000000000408A00-memory.dmp
                      • memory/1584-63-0x0000000000402000-0x0000000000408A00-memory.dmp
                      • memory/1968-54-0x00000000764D1000-0x00000000764D3000-memory.dmp