Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
06-06-2023 01:12
General
-
Target
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe
-
Size
863KB
-
MD5
426937c153dd506951c7f40a94094c48
-
SHA1
fb1e60c760f716e3058e3187d701899ba136d6a2
-
SHA256
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3
-
SHA512
4404e37eced0a0bfa8255e6549d0b9212cd7fd3be87b012879bbf9898b7ffa36d28c27525f4d2b9edc64100ab29e302afe4bbd2594f3810ad4e1701b13405103
-
SSDEEP
24576:Zjy6Akw+amJpYfdwzcfeJs9ReYWCW8kCt9g7:w6Akwhm0fdXO/D8j
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 6 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe"C:\Users\Admin\AppData\Local\Temp\2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe"C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe" "WindowsDefenderUpdates.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsDefenderUpdates.exe.logFilesize
319B
MD5824ba7b7eed8b900a98dd25129c4cd83
SHA154478770b2158000ef365591d42977cb854453a1
SHA256d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeFilesize
1.0MB
MD53398c825546a8f031901e1e31b6304e7
SHA1ca8e0b923acf197f7cfe12c7e1b8a81087c10b40
SHA2561a59d39530e38660cc483a1b5a090036206db446ac8573f1a2ec76ba4d3e2858
SHA512ca404a7e26a586597242b51bb145b38157ab3414627e2d7168f3124b3caf9785d58e1628832a8a15bef7192a88e4fb5404b65684efc6d7d2e43c7f5d54dc270e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeFilesize
1.0MB
MD53398c825546a8f031901e1e31b6304e7
SHA1ca8e0b923acf197f7cfe12c7e1b8a81087c10b40
SHA2561a59d39530e38660cc483a1b5a090036206db446ac8573f1a2ec76ba4d3e2858
SHA512ca404a7e26a586597242b51bb145b38157ab3414627e2d7168f3124b3caf9785d58e1628832a8a15bef7192a88e4fb5404b65684efc6d7d2e43c7f5d54dc270e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Local\UXINIZSV\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Desktop\SyncAssert.pngFilesize
871KB
MD5684a3b188b2deb83c2758d9066ebedc5
SHA1b6c3c01ae4975fccf990031b82e4c56c1ab0a940
SHA25679d89659f522318612d7ee9acee1cc106523b30ee70c12c73a2ee770eae74d15
SHA512e3bf8f2fb05d68f10805ad7bfcb6c0e5e4cead6a4734d13200d0f39e1ad02311e8e1120c8035c8dffe696d2555dbe6235229349df43588e74d5da5a21b4e1468
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Documents\WatchStep.docFilesize
465KB
MD59d2e0b92547edda0d3c05e23c76efed4
SHA1615e38807f78f9305470c4e35f448c5d00ee3c64
SHA2568d74de861283eb7ad31a356802ff42420f6faab462264b0a2640dc6be937e316
SHA512b32ec8efc76938668dc56c9b42333e250c14733dfe69f2e63d6801353d403e02e4de36761cc919a17fed7823f05798b3b6d7c046246c962ae404719dc9105595
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Downloads\BackupUninstall.bmpFilesize
751KB
MD580ddad0423fa14762785685552c4a6b8
SHA19cf07c512791a23d3c82c42baa2ae427f38929d3
SHA256d4f4d70e3cf89ce036282c350c726b1e039c006957b3b553fa6220dbab03199f
SHA5122e5fc1d3e657078f6d9db3827b19c8b4f0d5bfabcadbd5ab27854c48b3bd0e09958adc6d95bfdae6835833c9972ada8b01406a30351a013bc44f8942ee55dc6a
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Downloads\DebugApprove.rtfFilesize
556KB
MD5b84371c4c7ee2e95f6be94bf2da64a11
SHA145ec44a2d4eb2a0d953ee64edfc69851c40640e4
SHA25613a5174a9dc9b6cdbcafebfe4e51abb0f6562fbaacf932256831c194ba73d9b6
SHA5125a63139f1d0004b0e967ca610ea0dc89da96b8b1b0e6aed01eaca12ed457519df4a0f3e4e7d38b36c09bc74a9447b6e7518e13bdff5bd0188f9705808bde4ff4
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Pictures\CloseOut.svgFilesize
315KB
MD5d85ee9cad29bb9495ee88fd6b3a9d8db
SHA1f2a2ed0a92e1ad4e02597da769a389ef357c9675
SHA256c4df3182244297ea9a24f94ae66df7cbc8a88b460a139fc8c4a9aad71ad4b4be
SHA51265d0c05ba2741220d80901f6043e9086756b2128ac951f36033342078489c9a8e69962d79e6b75f760fe87ed95a03a833716c6e6d96d57b2b39f80c9542d5a1e
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Pictures\CompareUpdate.pngFilesize
426KB
MD521ea074af3001dd176a0905e6ccf1d81
SHA1b84a925540f5aa1a13877b32411e5dcc90534e47
SHA2565f856a88b65c65e4196736de955d85e947a74724df643ae0d54bbf45c60010b6
SHA51279dbd8ab7c85f72ed5c3cfc50c4ce28096af45069b70e995defd962e1e5d1c1f97c79dc200d0ae01e6e9f0b274f074f464a0c0efee5447132908c77d33131455
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Pictures\ConvertConnect.pngFilesize
195KB
MD58cc6eec15bf994e2817f4bdc4929c4f4
SHA17c555924a63ffe2ec1edd385914a658de3409f6f
SHA256b278039e489acc464bbdf0e2f8fb2edbb5bfbe44243242e0033def71faefe6c6
SHA512d130117cdca65b8d3a28ba4a799c7f367234ee67fee7b04f9baf47f787ec8a777fab46a513afba033fca007b3d8be77dfed25988d8ea08857b2575c4cc3733e7
-
C:\Users\Admin\AppData\Local\UXINIZSV\FileGrabber\Pictures\PopCompress.jpgFilesize
386KB
MD5aa61a94884d52ad432254d9ba45d7007
SHA112276ff6f828961efc1b16e6ea11ba7eac15c1b7
SHA256eb0060a14de4a9cfde43121f05b41c7aade08564b675c7d1ccf5a5c0989dea16
SHA5129ceb10939d312f7fb55681414916b75c64111b49eb8b4fa410536c73fa232b7d8e6b777af56bde691f3a24cc638aa4fec66c9d0dabb8dd099eaf1f8866177131
-
C:\Users\Admin\AppData\Local\UXINIZSV\Process.txtFilesize
4KB
MD5776aaa35523cfe36f71c0acbdc23f87c
SHA12d2ced3596cb6f9fc7f74d3108a2876a5f4b3b05
SHA2561ee7108e92388d4813612f93e4d76386d6dd8409019b08e6c34b41fc632d0d9f
SHA5129e6d76ca845e40dcc413b481f8d54db9929db0adbe40023bcddf40853e14496d499409f66bf7c11e18ec7d10c7e8eedce1bbb4f8237b7a6b5286aa2c020ad333
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
memory/2164-402-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB
-
memory/2652-165-0x00000000064C0000-0x0000000006552000-memory.dmpFilesize
584KB
-
memory/2652-164-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/2652-166-0x0000000006B10000-0x00000000070B4000-memory.dmpFilesize
5.6MB
-
memory/2652-173-0x00000000069E0000-0x0000000006A46000-memory.dmpFilesize
408KB
-
memory/2652-289-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/2652-140-0x0000000000710000-0x000000000081E000-memory.dmpFilesize
1.1MB
-
memory/3656-416-0x0000000001420000-0x0000000001430000-memory.dmpFilesize
64KB
-
memory/3656-417-0x0000000001420000-0x0000000001430000-memory.dmpFilesize
64KB
-
memory/3656-418-0x0000000001420000-0x0000000001430000-memory.dmpFilesize
64KB
-
memory/3656-419-0x0000000001420000-0x0000000001430000-memory.dmpFilesize
64KB
