Malware Analysis Report

2024-08-06 19:34

Sample ID 221123-qwb9rsaa3z
Target 973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077
SHA256 973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077
Tags
njrat billy evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077

Threat Level: Known bad

The file 973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077 was found to be: Known bad.

Malicious Activity Summary

njrat billy evasion persistence trojan

njRAT/Bladabindi

Executes dropped EXE

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Modify Existing Service
T1031
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-11-23 13:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 13:36

Reported

2022-11-23 14:26

Platform

win7-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\dcdsp\\xjgdw.pif C:\\Users\\Admin\\AppData\\Roaming\\dcdsp\\qsleh.qie" C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 780 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1976 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe

"C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe"

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

"C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif" qsleh.qie

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\OJGOU

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe" "RegSvcs.exe" ENABLE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 withgod.hopper.pw udp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp

Files

memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/780-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\dcdsp\qsleh.qie

MD5 d5b4309ba1f32fd202be951358732d2f
SHA1 045b0d44191088c05a76c12f38d9979482def488
SHA256 7f991f482669a82eb2317c45777350a738487fa9d7bcbc66ca731bfaf617cbe7
SHA512 378e34554c166cef62ba5a1832d6a15845b092c3f9a76c937bc5ec7eea69c20f01a5b7293bf2f18b84bc31dbd780cc0ad4541e8e371ea8c52a976f3f41b9d6d2

C:\Users\Admin\AppData\Roaming\dcdsp\YMQGIX

MD5 7b7b71df124bc97c534515dcf50ce86e
SHA1 0cdd2b9f2dde88f2ff78ffca3557bee3dff77154
SHA256 602ea3bc757612fc4dd9a3e4b83de03283684afa3e31d2c61f1b559d6c513f14
SHA512 f9d4e142945aff10f561bf5ae7718128df04adbbfcc97b18d647985e71e88b4e2bcc539d1950e1115d386649b0a838f243982c783eee69a144f13125cf2723dd

C:\Users\Admin\AppData\Roaming\dcdsp\ppcof.qve

MD5 f5bacdd6c1b958b5f71b2104468564c2
SHA1 69844070a757c70050ea53bb511117b13e5664be
SHA256 4d326ee4122d3c8664105f3bb590b5ef799a60e233bf74217e19d4c9f609f601
SHA512 e03772e56d0e069809f5b94052f315c0063cc6235a34b68ae1639769fe7cb43522950a7fe3c7776b2b3e90e2c59954954430a0be64e84d07a29fd7854efc9f8e

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1976-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\dcdsp\OJGOU

MD5 c346f5cd7684d742e218dc717b47c027
SHA1 c1486531db25d3c7f86e6a0031342885bd8580b5
SHA256 f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63
SHA512 90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

C:\Users\Admin\AppData\Roaming\dcdsp\qmvsh

MD5 5a712708d9e44c1155486fe98f43e902
SHA1 e38fed07c7ba70cd767d6523efd405172cfaf25d
SHA256 94755876bbca49070b732853ee3ecc345690d56818dc0bd6557e22c94fa954fd
SHA512 a93b64ff068a93ab034507e16d946fc05bf2fdc19d52aaadf253a93b999dac39c64e55b82723a7a24accd390d35845f3d720203c523699cf9e6d93b25f59838c

C:\Users\Admin\AppData\Roaming\dcdsp\etttt

MD5 640db8da702baaf410c9790e09b7cc82
SHA1 7c4539c77c83ea64e85133969aa94795a76a43fd
SHA256 6aad9f2e7c636dcea995389fcd99c558d5a9c136aaa9cfbcbb132cc7f7abefd8
SHA512 25132c750641f572a6c739971d219ff8da01d6899480c8bbefd05fb054246f6ca2bbb46c0fd72132cee8bd70bb695692bc1c66c3b8e51233ad4fc2d9c7ba47a2

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 994c7859304a76ceb46392f23ce0fa69
SHA1 de58d3439afc32a5c8bece7284ba998985dfa1ab
SHA256 f814d623a26b86b7147a95f773c67f188e6f655b0a168d38a8b16b1f5894cc71
SHA512 d2b7020fd4d6715452d20fe72652bae67669346862b8fd198f147598571fcf081d97ea68849e5ff69d41a58ee22372914ac4d07ef097ea9db760351b3e0eaaf0

memory/432-74-0x0000000000400000-0x000000000040C000-memory.dmp

memory/432-75-0x0000000000400000-0x000000000040C000-memory.dmp

memory/432-77-0x0000000000400000-0x000000000040C000-memory.dmp

memory/432-78-0x0000000000400000-0x000000000040C000-memory.dmp

memory/432-79-0x0000000000400000-0x000000000040C000-memory.dmp

memory/432-80-0x000000000040747E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 994c7859304a76ceb46392f23ce0fa69
SHA1 de58d3439afc32a5c8bece7284ba998985dfa1ab
SHA256 f814d623a26b86b7147a95f773c67f188e6f655b0a168d38a8b16b1f5894cc71
SHA512 d2b7020fd4d6715452d20fe72652bae67669346862b8fd198f147598571fcf081d97ea68849e5ff69d41a58ee22372914ac4d07ef097ea9db760351b3e0eaaf0

memory/432-83-0x0000000000400000-0x000000000040C000-memory.dmp

memory/432-85-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 994c7859304a76ceb46392f23ce0fa69
SHA1 de58d3439afc32a5c8bece7284ba998985dfa1ab
SHA256 f814d623a26b86b7147a95f773c67f188e6f655b0a168d38a8b16b1f5894cc71
SHA512 d2b7020fd4d6715452d20fe72652bae67669346862b8fd198f147598571fcf081d97ea68849e5ff69d41a58ee22372914ac4d07ef097ea9db760351b3e0eaaf0

memory/432-88-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/1716-89-0x0000000000000000-mapping.dmp

memory/432-91-0x0000000074130000-0x00000000746DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 13:36

Reported

2022-11-23 14:26

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\dcdsp\\xjgdw.pif C:\\Users\\Admin\\AppData\\Roaming\\dcdsp\\qsleh.qie" C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4800 set thread context of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2424 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 2424 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 4872 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 4872 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 4872 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4800 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4344 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 4344 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe
PID 4344 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe

"C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe"

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

"C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif" qsleh.qie

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\YGSNI

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe" "RegSvcs.exe" ENABLE

Network

Country Destination Domain Proto
N/A 87.248.202.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 8.8.8.8:53 withgod.hopper.pw udp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 20.189.173.4:443 tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp
N/A 72.52.215.31:770 withgod.hopper.pw tcp

Files

memory/4872-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\dcdsp\qsleh.qie

MD5 d5b4309ba1f32fd202be951358732d2f
SHA1 045b0d44191088c05a76c12f38d9979482def488
SHA256 7f991f482669a82eb2317c45777350a738487fa9d7bcbc66ca731bfaf617cbe7
SHA512 378e34554c166cef62ba5a1832d6a15845b092c3f9a76c937bc5ec7eea69c20f01a5b7293bf2f18b84bc31dbd780cc0ad4541e8e371ea8c52a976f3f41b9d6d2

C:\Users\Admin\AppData\Roaming\dcdsp\YMQGIX

MD5 7b7b71df124bc97c534515dcf50ce86e
SHA1 0cdd2b9f2dde88f2ff78ffca3557bee3dff77154
SHA256 602ea3bc757612fc4dd9a3e4b83de03283684afa3e31d2c61f1b559d6c513f14
SHA512 f9d4e142945aff10f561bf5ae7718128df04adbbfcc97b18d647985e71e88b4e2bcc539d1950e1115d386649b0a838f243982c783eee69a144f13125cf2723dd

C:\Users\Admin\AppData\Roaming\dcdsp\ppcof.qve

MD5 f5bacdd6c1b958b5f71b2104468564c2
SHA1 69844070a757c70050ea53bb511117b13e5664be
SHA256 4d326ee4122d3c8664105f3bb590b5ef799a60e233bf74217e19d4c9f609f601
SHA512 e03772e56d0e069809f5b94052f315c0063cc6235a34b68ae1639769fe7cb43522950a7fe3c7776b2b3e90e2c59954954430a0be64e84d07a29fd7854efc9f8e

memory/4800-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\dcdsp\YGSNI

MD5 c346f5cd7684d742e218dc717b47c027
SHA1 c1486531db25d3c7f86e6a0031342885bd8580b5
SHA256 f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63
SHA512 90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

C:\Users\Admin\AppData\Roaming\dcdsp\qmvsh

MD5 5a712708d9e44c1155486fe98f43e902
SHA1 e38fed07c7ba70cd767d6523efd405172cfaf25d
SHA256 94755876bbca49070b732853ee3ecc345690d56818dc0bd6557e22c94fa954fd
SHA512 a93b64ff068a93ab034507e16d946fc05bf2fdc19d52aaadf253a93b999dac39c64e55b82723a7a24accd390d35845f3d720203c523699cf9e6d93b25f59838c

C:\Users\Admin\AppData\Roaming\dcdsp\etttt

MD5 640db8da702baaf410c9790e09b7cc82
SHA1 7c4539c77c83ea64e85133969aa94795a76a43fd
SHA256 6aad9f2e7c636dcea995389fcd99c558d5a9c136aaa9cfbcbb132cc7f7abefd8
SHA512 25132c750641f572a6c739971d219ff8da01d6899480c8bbefd05fb054246f6ca2bbb46c0fd72132cee8bd70bb695692bc1c66c3b8e51233ad4fc2d9c7ba47a2

memory/4344-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 5257104440f9fcd3055ca809b81684e3
SHA1 586db1b80505fb4244fedad9e1cee86ef7184f9e
SHA256 1820441d8ba174eb2d3af1d41aaaa5952835912606db606efe4de1ec20c9429b
SHA512 2544f36ddd06783a67938e06aeb87b5b9c2b0d80f631ad97cb9357c8bb5774f909001dda5676e179b70c8e8b0187b2f95411eef11dea5d405f667acb96f153e3

memory/4344-144-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 5257104440f9fcd3055ca809b81684e3
SHA1 586db1b80505fb4244fedad9e1cee86ef7184f9e
SHA256 1820441d8ba174eb2d3af1d41aaaa5952835912606db606efe4de1ec20c9429b
SHA512 2544f36ddd06783a67938e06aeb87b5b9c2b0d80f631ad97cb9357c8bb5774f909001dda5676e179b70c8e8b0187b2f95411eef11dea5d405f667acb96f153e3

memory/4344-147-0x00000000742F0000-0x00000000748A1000-memory.dmp

memory/1800-148-0x0000000000000000-mapping.dmp

memory/4344-149-0x00000000742F0000-0x00000000748A1000-memory.dmp