Analysis Overview
SHA256
334d41d1daf71550a19c4c241ab83af52c942da8b53e5ef55be61984050215e5
Threat Level: Known bad
The file file.ps1 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Blocklisted process makes network request
Drops startup file
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-21 14:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-21 14:26
Reported
2022-09-21 14:30
Platform
win7-20220812-en
Max time kernel
41s
Max time network
44s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | contadoreshbc.com | udp |
| US | 52.72.49.79:443 | contadoreshbc.com | tcp |
| US | 52.72.49.79:443 | contadoreshbc.com | tcp |
Files
memory/1996-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp
memory/1996-55-0x000007FEF28F0000-0x000007FEF3313000-memory.dmp
memory/1996-56-0x000007FEF1D90000-0x000007FEF28ED000-memory.dmp
memory/1996-57-0x00000000023E4000-0x00000000023E7000-memory.dmp
memory/1996-58-0x00000000023EB000-0x000000000240A000-memory.dmp
memory/1996-59-0x00000000023E4000-0x00000000023E7000-memory.dmp
memory/1996-60-0x00000000023EB000-0x000000000240A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-21 14:26
Reported
2022-09-21 14:30
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
176s
Command Line
Signatures
njRAT/Bladabindi
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1112 set thread context of 3068 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Done.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | contadoreshbc.com | udp |
| US | 52.72.49.79:443 | contadoreshbc.com | tcp |
| US | 8.8.8.8:53 | firebasestorage.googleapis.com | udp |
| NL | 142.250.179.202:443 | firebasestorage.googleapis.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | schoolcrypter.com | udp |
| US | 52.72.49.79:443 | schoolcrypter.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | envios000.duckdns.org | udp |
| SE | 46.246.84.3:7777 | envios000.duckdns.org | tcp |
| US | 8.253.225.254:80 | tcp | |
| US | 8.253.225.254:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 20.42.72.131:443 | tcp |
Files
memory/1112-132-0x000001E270290000-0x000001E2702B2000-memory.dmp
memory/1112-133-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp
memory/3404-134-0x0000000000000000-mapping.dmp
memory/3404-135-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp
memory/3068-136-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3068-137-0x000000000040677E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a0a1671f3117ae81bc90e79eac37471 |
| SHA1 | e102d030a87a2d6243344b26344636e94ce13572 |
| SHA256 | 228ede5639b6eeaab79ba585854e63b701147e30d8871c998208171e34d6747a |
| SHA512 | f84a29cdc79a2788c2e2d95cc7f357661f60592a34095401b4ff585a05d08b2f6a22c38e72ecada6a88d3b1665c850719817bac9aa1e5dcdef61130779ecdbff |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/1112-140-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp
memory/3068-141-0x00000000051A0000-0x000000000523C000-memory.dmp
memory/3068-142-0x00000000057F0000-0x0000000005D94000-memory.dmp
memory/3068-143-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/3068-144-0x0000000005370000-0x000000000537A000-memory.dmp
memory/3404-145-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp
memory/3068-146-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/3512-147-0x0000000000000000-mapping.dmp