Overview

overview

10

Static

static

10

7156d13a23...d8.exe

windows7-x64

8

7156d13a23...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe

  • Size

    405KB

  • MD5

    7af03069fd2115cacf8f083f630d1518

  • SHA1

    0bc4fc8a383cabfd6c02c135cf09771a7abcbf97

  • SHA256

    7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8

  • SHA512

    4d6968c35bef582715e22f3ac32fbe8b01e29443e4343701ff92c282890a800f16e64233ab422c106765a12928b92060a8e2c2ada48c85eedc9638c30d814c2b

  • SSDEEP

    12288:7u5Snj11m1HOPDq2Owbfjkx0ZkYLt9VkrefM:7eS51m1HOrZbfjpkYLt9erefM

Score
10/10
njratevasionpersistencetrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe
    "C:\Users\Admin\AppData\Local\Temp\7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Users\Admin\AppData\Local\Temp\Windows.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SYSTEM32\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:960
    • C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe
      "C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe"
      2⤵
      • Executes dropped EXE
      PID:4924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    Filesize

    40KB

    MD5

    92a5e48d2bd8f1564564ae8173871501

    SHA1

    945faac7ca511007d9932a551782fc479dc15e0b

    SHA256

    8287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1

    SHA512

    bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\1.exe
    Filesize

    40KB

    MD5

    92a5e48d2bd8f1564564ae8173871501

    SHA1

    945faac7ca511007d9932a551782fc479dc15e0b

    SHA256

    8287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1

    SHA512

    bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe
    Filesize

    321KB

    MD5

    eb078d6d5bc16b89e4468019c55543f8

    SHA1

    0f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9

    SHA256

    47a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8

    SHA512

    56107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe
    Filesize

    321KB

    MD5

    eb078d6d5bc16b89e4468019c55543f8

    SHA1

    0f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9

    SHA256

    47a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8

    SHA512

    56107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows.exe
    Filesize

    40KB

    MD5

    92a5e48d2bd8f1564564ae8173871501

    SHA1

    945faac7ca511007d9932a551782fc479dc15e0b

    SHA256

    8287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1

    SHA512

    bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows.exe
    Filesize

    40KB

    MD5

    92a5e48d2bd8f1564564ae8173871501

    SHA1

    945faac7ca511007d9932a551782fc479dc15e0b

    SHA256

    8287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1

    SHA512

    bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895

    Download Submit
  • memory/960-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2880-143-0x00007FFBBB4D0000-0x00007FFBBBF06000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/2880-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4388-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4388-138-0x00007FFBBB4D0000-0x00007FFBBBF06000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/4924-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4924-139-0x00007FFBBB4D0000-0x00007FFBBBF06000-memory.dmp
    Filesize

    10.2MB

    Download