Overview

overview

10

Static

static

5222f5ab1d...71.exe

windows7-x64

8

5222f5ab1d...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 03:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5222f5ab1dcd71b05e9fd64294b883aa9d165c5c69b2898dcce35f8817207e71.exe

  • Size

    193KB

  • MD5

    9502fb2e99a4b7337c03cda4a4eb735d

  • SHA1

    ff931760a5543367657dcfcae84be3d690a01ea9

  • SHA256

    5222f5ab1dcd71b05e9fd64294b883aa9d165c5c69b2898dcce35f8817207e71

  • SHA512

    8bfa415dbc0b9d3fe0051f39d4b75504114bf96b4fdaf40e9df10ea968fb12e0c29a287524a4cb333195db37bd6aa8209d4720cec37b2a4e7517db9a5e1c8944

  • SSDEEP

    3072:y8oXhlmg2AEr8QXmQ7HP0Rj/HU4GHvgmCQ+/G2dT2Ir8QZGpx:ZoXhlmgurhmMHqj/0vgmr+FTV

Score
10/10
njratevasionpersistencetrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5222f5ab1dcd71b05e9fd64294b883aa9d165c5c69b2898dcce35f8817207e71.exe
    "C:\Users\Admin\AppData\Local\Temp\5222f5ab1dcd71b05e9fd64294b883aa9d165c5c69b2898dcce35f8817207e71.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\googli.exe
      "C:\Users\Admin\AppData\Local\Temp\googli.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\googli.exe" "googli.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1328

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\googli.exe
          Filesize

          193KB

          MD5

          9502fb2e99a4b7337c03cda4a4eb735d

          SHA1

          ff931760a5543367657dcfcae84be3d690a01ea9

          SHA256

          5222f5ab1dcd71b05e9fd64294b883aa9d165c5c69b2898dcce35f8817207e71

          SHA512

          8bfa415dbc0b9d3fe0051f39d4b75504114bf96b4fdaf40e9df10ea968fb12e0c29a287524a4cb333195db37bd6aa8209d4720cec37b2a4e7517db9a5e1c8944

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\googli.exe
          Filesize

          193KB

          MD5

          9502fb2e99a4b7337c03cda4a4eb735d

          SHA1

          ff931760a5543367657dcfcae84be3d690a01ea9

          SHA256

          5222f5ab1dcd71b05e9fd64294b883aa9d165c5c69b2898dcce35f8817207e71

          SHA512

          8bfa415dbc0b9d3fe0051f39d4b75504114bf96b4fdaf40e9df10ea968fb12e0c29a287524a4cb333195db37bd6aa8209d4720cec37b2a4e7517db9a5e1c8944

          Download Submit

        • memory/372-132-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/372-133-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/372-137-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5056-138-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5056-139-0x0000000074A00000-0x0000000074FB1000-memory.dmp

          Filesize

          5.7MB

          Download