Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2024 10:17

General

  • Target

    8f2a8e17d6c466f2907213c1627e1fff8147c57eadf67012771741f290a32b6aN.exe

  • Size

    38KB

  • MD5

    0af2a1b653c84f11f76f9fe6c5faff00

  • SHA1

    9def20d00191262a517dc67c6c59c4edfc9f3fcc

  • SHA256

    8f2a8e17d6c466f2907213c1627e1fff8147c57eadf67012771741f290a32b6a

  • SHA512

    be71fe59b9cdd67ebfab14d64d2d570d7d6f78fec9365417c48dd7b79c63fb691419a0e55850d7d1710a4823b464952611d661ff44145c333062a53ad9ff2846

  • SSDEEP

    768:HDvHfwFMwnQma7vppr6qKncR5wGBA39c2gYmK72Ihe:TH4MwaPrNKnWuG69c2ry

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f2a8e17d6c466f2907213c1627e1fff8147c57eadf67012771741f290a32b6aN.exe
    "C:\Users\Admin\AppData\Local\Temp\8f2a8e17d6c466f2907213c1627e1fff8147c57eadf67012771741f290a32b6aN.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\ali.exe
      "C:\Users\Admin\AppData\Local\Temp\ali.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4424

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    101.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.210.23.2.in-addr.arpa
    IN PTR
    Response
    101.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-101deploystaticakamaitechnologiescom
  • flag-us
    DNS
    100.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 127.0.0.1:5552
    server.exe
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    99.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    99.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    101.210.23.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    101.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    100.209.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    100.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ali.exe

    Filesize

    23KB

    MD5

    695433e23e1257e25ca7b468c647a577

    SHA1

    a8c3cec1ae3706f7685d5c756655be93af598de4

    SHA256

    6c17191caf9e93a93ceb7d8f9c01313e197b1deed610ccf7c2bbe89fd2d1b797

    SHA512

    8ff094125305485a9e1906e2d7c64485047ba2b4f2988656fd6e64e54ca97c20f466510cf2757fc294243eee420848c98bb2028ce0a555c4d157132c56251697

  • memory/936-15-0x0000000075472000-0x0000000075473000-memory.dmp

    Filesize

    4KB

  • memory/936-29-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/936-18-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/936-17-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/1276-6-0x00007FFED24D0000-0x00007FFED2E71000-memory.dmp

    Filesize

    9.6MB

  • memory/1276-16-0x00007FFED24D0000-0x00007FFED2E71000-memory.dmp

    Filesize

    9.6MB

  • memory/1276-0-0x00007FFED2785000-0x00007FFED2786000-memory.dmp

    Filesize

    4KB

  • memory/1276-2-0x0000000000F80000-0x0000000000F8E000-memory.dmp

    Filesize

    56KB

  • memory/1276-1-0x00007FFED24D0000-0x00007FFED2E71000-memory.dmp

    Filesize

    9.6MB

  • memory/5092-28-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/5092-30-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

  • memory/5092-31-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.