Analysis Overview
SHA256
6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25
Threat Level: Known bad
The file a09a3b6b6bea6ef91aef5d0dd4581b88.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Njrat family
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 21:17
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 21:17
Reported
2024-01-20 21:20
Platform
win7-20231215-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe | C:\Users\Admin\windows updator_prdas.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe | C:\Users\Admin\windows updator_prdas.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\windows updator_prdas.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." | C:\Users\Admin\windows updator_prdas.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." | C:\Users\Admin\windows updator_prdas.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\windows updator_prdas.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe
"C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe"
C:\Users\Admin\windows updator_prdas.exe
"C:\Users\Admin\windows updator_prdas.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\windows updator_prdas.exe" "windows updator_prdas.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.253.86:10929 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.59.75:10929 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:10929 | 4.tcp.eu.ngrok.io | tcp |
Files
memory/2144-0-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/2144-1-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/2144-2-0x0000000000C10000-0x0000000000C50000-memory.dmp
\Users\Admin\windows updator_prdas.exe
| MD5 | a09a3b6b6bea6ef91aef5d0dd4581b88 |
| SHA1 | 098ed5d82ade538154634a9f44d8f91607c23392 |
| SHA256 | 6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25 |
| SHA512 | 42c383b30292cb2521f70e3dcc30b96553e50866ab965f9304bf2808d90ea4be01efa12d380f6d9b76ffe57f09974d5563e5a6018a2009328ce18a25b4b3d1f8 |
memory/2404-10-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/2144-12-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/2404-13-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2404-11-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/2404-15-0x0000000074100000-0x00000000746AB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 21:17
Reported
2024-01-20 21:20
Platform
win10v2004-20231215-en
Max time kernel
156s
Max time network
157s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe | C:\Users\Admin\windows updator_prdas.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39b05030c645f6e80bce801caf1f7d61.exe | C:\Users\Admin\windows updator_prdas.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\windows updator_prdas.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." | C:\Users\Admin\windows updator_prdas.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\39b05030c645f6e80bce801caf1f7d61 = "\"C:\\Users\\Admin\\windows updator_prdas.exe\" .." | C:\Users\Admin\windows updator_prdas.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\windows updator_prdas.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3096 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe | C:\Users\Admin\windows updator_prdas.exe |
| PID 3096 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe | C:\Users\Admin\windows updator_prdas.exe |
| PID 3096 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe | C:\Users\Admin\windows updator_prdas.exe |
| PID 4336 wrote to memory of 2848 | N/A | C:\Users\Admin\windows updator_prdas.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4336 wrote to memory of 2848 | N/A | C:\Users\Admin\windows updator_prdas.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4336 wrote to memory of 2848 | N/A | C:\Users\Admin\windows updator_prdas.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe
"C:\Users\Admin\AppData\Local\Temp\a09a3b6b6bea6ef91aef5d0dd4581b88.exe"
C:\Users\Admin\windows updator_prdas.exe
"C:\Users\Admin\windows updator_prdas.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\windows updator_prdas.exe" "windows updator_prdas.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.253.86:10929 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 86.253.127.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.253.86:10929 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:10929 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 211.112.28.52.in-addr.arpa | udp |
Files
memory/3096-0-0x0000000075340000-0x00000000758F1000-memory.dmp
memory/3096-1-0x0000000075340000-0x00000000758F1000-memory.dmp
memory/3096-2-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
C:\Users\Admin\windows updator_prdas.exe
| MD5 | a09a3b6b6bea6ef91aef5d0dd4581b88 |
| SHA1 | 098ed5d82ade538154634a9f44d8f91607c23392 |
| SHA256 | 6eea9641063b4f2e44360afc7bee1894423dc6aa92e7e497740fca1758d38c25 |
| SHA512 | 42c383b30292cb2521f70e3dcc30b96553e50866ab965f9304bf2808d90ea4be01efa12d380f6d9b76ffe57f09974d5563e5a6018a2009328ce18a25b4b3d1f8 |
memory/4336-21-0x0000000000F40000-0x0000000000F50000-memory.dmp
memory/4336-23-0x0000000075340000-0x00000000758F1000-memory.dmp
memory/3096-22-0x0000000075340000-0x00000000758F1000-memory.dmp
memory/4336-24-0x0000000075340000-0x00000000758F1000-memory.dmp
memory/4336-26-0x0000000075340000-0x00000000758F1000-memory.dmp