Analysis
-
max time kernel
104s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
17-02-2024 16:17
General
-
Target
Client.exe
-
Size
156KB
-
MD5
66fe5a1d3958bdc41af36b742f5b0116
-
SHA1
976487aabbc04e030023ee72e455be1d48da4dfc
-
SHA256
e456dd25db07bcd5b9fdabfca9124d964d2cc4c2ea1826ceeb380b45c2208068
-
SHA512
a1018ed48e3b622c514b1636693d378941cb99e23054dbd69b2939cb928ee6b807e39d44d7bcc721e6bb1a15599931a3df60d203992de5d65a0d2c038a3f6d3f
-
SSDEEP
3072:k96q4hqGnhr1k3k+6pskWuHxl23eHnE07L31TOAM8J:ky1k0lppjRlxHn9TO
Score
10/10
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE2⤵
- Modifies Windows Firewall
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB