Analysis

  • max time kernel
    133s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 18:23

General

  • Target

    svchost.exe

  • Size

    1.1MB

  • MD5

    5bf9ee7d92c033665bbbe4cc83c6c8bd

  • SHA1

    e763e34f50c83e1cf8c4be632993b8cec2ed193e

  • SHA256

    f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4

  • SHA512

    f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448

  • SSDEEP

    24576:EQlWF5PC5xcbIdo20hVV58hCXeFnnw0uR7DF8A+dIJtFwwGf3xx7BzU:jnxcbOo28PeFcR7DF8YbGfL7BQ

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1260
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM MsMpEng.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Modifies Windows Firewall
        PID:1052
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Roaming\svchost.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\PING.EXE
          ping 0
          4⤵
          • Runs ping.exe
          PID:1956
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
    1⤵
      PID:4812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

      Filesize

      319B

      MD5

      da4fafeffe21b7cb3a8c170ca7911976

      SHA1

      50ef77e2451ab60f93f4db88325b897d215be5ad

      SHA256

      7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

      SHA512

      0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      1.1MB

      MD5

      5bf9ee7d92c033665bbbe4cc83c6c8bd

      SHA1

      e763e34f50c83e1cf8c4be632993b8cec2ed193e

      SHA256

      f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4

      SHA512

      f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448

    • memory/1384-15-0x0000000074C50000-0x0000000075201000-memory.dmp

      Filesize

      5.7MB

    • memory/1384-2-0x0000000074C50000-0x0000000075201000-memory.dmp

      Filesize

      5.7MB

    • memory/1384-14-0x00000000005E0000-0x0000000000956000-memory.dmp

      Filesize

      3.5MB

    • memory/1384-0-0x00000000005E0000-0x0000000000956000-memory.dmp

      Filesize

      3.5MB

    • memory/1384-1-0x0000000074C52000-0x0000000074C53000-memory.dmp

      Filesize

      4KB

    • memory/3636-11-0x0000000000CE0000-0x0000000001056000-memory.dmp

      Filesize

      3.5MB

    • memory/3636-17-0x0000000074C50000-0x0000000075201000-memory.dmp

      Filesize

      5.7MB

    • memory/3636-18-0x0000000074C50000-0x0000000075201000-memory.dmp

      Filesize

      5.7MB

    • memory/3636-22-0x0000000000CE0000-0x0000000001056000-memory.dmp

      Filesize

      3.5MB

    • memory/3636-23-0x0000000074C50000-0x0000000075201000-memory.dmp

      Filesize

      5.7MB

    • memory/3636-28-0x0000000074C50000-0x0000000075201000-memory.dmp

      Filesize

      5.7MB

    • memory/3636-29-0x0000000000CE0000-0x0000000001056000-memory.dmp

      Filesize

      3.5MB