Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25-11-2022 06:59
General
-
Target
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe
-
Size
30KB
-
MD5
5fcdd3650009a565f795bc12d0adc5a8
-
SHA1
66a5a4ee24e9eadfd02605b6a2e80b89027b4bdc
-
SHA256
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3
-
SHA512
5395db318cc5f64b73b5bb37b041fa3a7e787cecabe1fd6f5b5712f0891ed404068ce40973f946ad50f5e6d8aa627373a28c2141b715cd19905e2c276a5aa4ad
-
SSDEEP
384:xNG9iDrHrbJ6kA6g8tOpaz5pHEdKw/8aUZJfcKMr57WiEIxgE26PaMUbiQvIw7Do:PJA69J5JSn7gigKUbTD
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe"C:\Users\Admin\AppData\Local\Temp\d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD55fcdd3650009a565f795bc12d0adc5a8
SHA166a5a4ee24e9eadfd02605b6a2e80b89027b4bdc
SHA256d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3
SHA5125395db318cc5f64b73b5bb37b041fa3a7e787cecabe1fd6f5b5712f0891ed404068ce40973f946ad50f5e6d8aa627373a28c2141b715cd19905e2c276a5aa4ad
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD55fcdd3650009a565f795bc12d0adc5a8
SHA166a5a4ee24e9eadfd02605b6a2e80b89027b4bdc
SHA256d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3
SHA5125395db318cc5f64b73b5bb37b041fa3a7e787cecabe1fd6f5b5712f0891ed404068ce40973f946ad50f5e6d8aa627373a28c2141b715cd19905e2c276a5aa4ad
-
memory/1476-136-0x0000000000000000-mapping.dmp
-
memory/4800-133-0x0000000000000000-mapping.dmp
-
memory/4800-138-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4800-139-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4880-132-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4880-137-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB