Malware Analysis Report

2025-03-15 06:27

Sample ID 240117-qtzbhsgge7
Target Payload2024.exe
SHA256 239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
Tags
hacked njrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756

Threat Level: Known bad

The file Payload2024.exe was found to be: Known bad.

Malicious Activity Summary

hacked njrat persistence trojan

Njrat family

njRAT/Bladabindi

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-17 13:33

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-17 13:33

Reported

2024-01-17 13:39

Platform

win10v2004-20231215-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payload2024.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Roaming\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Roaming\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Louked.exe C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Louked.exe C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload2024.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Roaming\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\Payload2024.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Roaming\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\Payload2024.exe C:\Users\Admin\AppData\Roaming\Payload.exe
PID 1224 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\Payload2024.exe C:\Users\Admin\AppData\Roaming\Payload.exe
PID 1224 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\Payload2024.exe C:\Users\Admin\AppData\Roaming\Payload.exe
PID 1224 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Payload2024.exe C:\Windows\SysWOW64\attrib.exe
PID 1224 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Payload2024.exe C:\Windows\SysWOW64\attrib.exe
PID 1224 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Payload2024.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe
PID 4416 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe
PID 4416 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\Payload.exe C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payload2024.exe

"C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"

C:\Users\Admin\AppData\Roaming\Payload.exe

"C:\Users\Admin\AppData\Roaming\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 soon-lp.at.ply.gg udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp

Files

memory/1224-0-0x0000000000250000-0x000000000025E000-memory.dmp

memory/1224-2-0x0000000004C50000-0x0000000004CEC000-memory.dmp

memory/1224-1-0x0000000075050000-0x0000000075800000-memory.dmp

memory/1224-5-0x00000000059B0000-0x0000000005F54000-memory.dmp

C:\Users\Admin\AppData\Roaming\Payload.exe

MD5 248679d7c4c333b7b2fef2c0f092327b
SHA1 d5b18fa3fd68935ab01b25db2813250b9d121dbd
SHA256 239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
SHA512 27efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9

memory/4416-16-0x0000000075050000-0x0000000075800000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 97024cf693e19efbc26b5fa4986f6f29
SHA1 d4d0868afa1b76790b0440af30a245ac12cead9d
SHA256 959567471c08b8a526d6a200c60eec296c1860919d8442c4f5fb555af06cc67f
SHA512 7cda443def3fdd8c7423c4cc5cc3085c31e8e93995fd89ddb6a3ff36f03b918f727f06bc4006439ed38bdf45c9d0de8e1478a59d46ca4abef06856e6cde86ac9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 603069b2b1beac54d0f7ce4019810f04
SHA1 333300497fe640e8bec729e54c22c050f9f15282
SHA256 1fac9bc75c529d9c7b73b630642c2ae31ebbe983a2dc7a68ef6e50cc1d9cb622
SHA512 4033744b5211593645edaeaac09e24614783bdac0468d872ee5104eb42cb06850b98403b32aff1bd373d01f8cdcd8c4d5c102b4d532ba38cb4ede71b4d581047

memory/1224-15-0x0000000075050000-0x0000000075800000-memory.dmp

memory/4416-22-0x0000000005910000-0x0000000005920000-memory.dmp

memory/4416-24-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/4416-25-0x0000000005900000-0x000000000590A000-memory.dmp

memory/4416-26-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/4416-27-0x0000000005B10000-0x0000000005B1A000-memory.dmp

memory/4416-28-0x0000000075050000-0x0000000075800000-memory.dmp

memory/4416-29-0x0000000005910000-0x0000000005920000-memory.dmp

memory/4416-30-0x0000000005D10000-0x0000000005D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe

MD5 049f20e676c2d8483999cb3111f0debe
SHA1 918c02726d22ef390b304ca20057310eefd4d17f
SHA256 a2e9a44495e4c8740b74371a8a3499e2ee75cce06512eb3b7c3d2e04be8b7a76
SHA512 70b9cae76b3816e3b578558278eba82e05986ac7be07dec190789d9d227125ad69a3f1eb3b5673bf643a4a0e7e3aa65308bbe2bc284693b9514f74b6708fe004

memory/2284-43-0x0000000000D50000-0x0000000000D60000-memory.dmp

memory/2284-42-0x000000006FE20000-0x00000000703D1000-memory.dmp

memory/2284-44-0x000000006FE20000-0x00000000703D1000-memory.dmp

memory/2284-46-0x0000000000D50000-0x0000000000D60000-memory.dmp

memory/2284-50-0x000000006FE20000-0x00000000703D1000-memory.dmp

memory/4416-51-0x0000000000D60000-0x0000000000D6A000-memory.dmp

memory/4416-52-0x0000000000E30000-0x0000000000E40000-memory.dmp