Malware Analysis Report

2025-03-15 06:27

Sample ID 240117-qq6anagfh5
Target Payload2024.exe
SHA256 239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
Tags
njrat hacked persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756

Threat Level: Known bad

The file Payload2024.exe was found to be: Known bad.

Malicious Activity Summary

njrat hacked persistence trojan

Njrat family

njRAT/Bladabindi

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-17 13:28

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-17 13:28

Reported

2024-01-17 13:30

Platform

win10v2004-20231222-en

Max time kernel

59s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payload2024.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload2024.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Roaming\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Roaming\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Roaming\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\Payload2024.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payload2024.exe

"C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"

C:\Users\Admin\AppData\Roaming\Payload.exe

"C:\Users\Admin\AppData\Roaming\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 soon-lp.at.ply.gg udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 92.123.241.137:80 www.microsoft.com tcp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
GB 96.17.178.196:80 tcp
GB 96.17.178.196:80 tcp

Files

memory/1408-0-0x0000000000A90000-0x0000000000A9E000-memory.dmp

memory/1408-1-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/1408-2-0x00000000054D0000-0x000000000556C000-memory.dmp

memory/1408-5-0x0000000006320000-0x00000000068C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Payload.exe

MD5 248679d7c4c333b7b2fef2c0f092327b
SHA1 d5b18fa3fd68935ab01b25db2813250b9d121dbd
SHA256 239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
SHA512 27efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9

memory/2956-15-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/1408-16-0x0000000075040000-0x00000000757F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 1cf416d26fcaa9ac44cde97b4071c2c1
SHA1 2f49d770b79359232d9b8ad9609bcab9bc8489a1
SHA256 298bf368286c7dfa7b8cd2774d93811fea422c38b37b79c4049fb38fbfa49da0
SHA512 d4a92f2051d7bb5ec5dfd5cce038202cab2a75fad83238c914ce0e1d4db66b36bd2b8302451035e6e9cbf8160965e180f91af0ffea9772c28e0a4aa9a4171bcf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 b565b6f7a706fa0e6f1a618d53af840a
SHA1 a2dcefc8f9bf6ffc89c3e9dba9ba582a4dc0c47f
SHA256 e2be89378f1677a386e8641949f4af149db4947d04ff320e256a5c0b39d683cb
SHA512 11755649cf70808de39fd6f3a20559feebad8e7344bbd5c10de0d285ded97d8570c9e01b2834eb80c6e3179abc6bec2d9bbd4dc4e24dd94fb981fd6c9caf28fe

memory/2956-22-0x0000000005370000-0x0000000005380000-memory.dmp

memory/2956-24-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/2956-25-0x00000000054B0000-0x00000000054BA000-memory.dmp

memory/2956-26-0x00000000056C0000-0x0000000005726000-memory.dmp

memory/2956-27-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/2956-28-0x0000000005370000-0x0000000005380000-memory.dmp