Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 13:39
General
-
Target
Loki 1.8/Builder_Lifetime.exe
-
Size
367KB
-
MD5
5e85824cf5ae53b0e46afaacb011732b
-
SHA1
baa3b6b8bdd489cc4121688bbbafdffdce0da4f1
-
SHA256
f0e0aaaee50fa1bceb57e92777fbb8696514ea99a755214d2b49255d3f7538ed
-
SHA512
f55bbc8a4ecbedb8ebce746ad3d49de7703ce707f627e2ceba349d5f4414cc160be59be75d3a345109e9bf93c0ce1859eb5d21c010c5b7236d163500dd58ea9e
-
SSDEEP
6144:OeQybLGW2q0GZekNrSrSD9RBDbPkeVX6TuWkob3vHBRZ8wa7:mybLGDy3JBzDJXHWkoD/Zh2
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loki 1.8\Builder_Lifetime.exe"C:\Users\Admin\AppData\Local\Temp\Loki 1.8\Builder_Lifetime.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeFilesize
367KB
MD55e85824cf5ae53b0e46afaacb011732b
SHA1baa3b6b8bdd489cc4121688bbbafdffdce0da4f1
SHA256f0e0aaaee50fa1bceb57e92777fbb8696514ea99a755214d2b49255d3f7538ed
SHA512f55bbc8a4ecbedb8ebce746ad3d49de7703ce707f627e2ceba349d5f4414cc160be59be75d3a345109e9bf93c0ce1859eb5d21c010c5b7236d163500dd58ea9e
-
memory/3564-0-0x00000000750F2000-0x00000000750F3000-memory.dmpFilesize
4KB
-
memory/3564-1-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3564-2-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3564-16-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4724-15-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4724-17-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4724-18-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4724-20-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB