Analysis Overview
SHA256
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
Threat Level: Known bad
The file d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Drops startup file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 05:48
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 05:48
Reported
2024-01-25 05:51
Platform
win7-20231215-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
njRAT/Bladabindi
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" | C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp |
Files
memory/1708-0-0x0000000074E90000-0x000000007543B000-memory.dmp
memory/1708-1-0x0000000000BC0000-0x0000000000C00000-memory.dmp
memory/1708-2-0x0000000074E90000-0x000000007543B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | a5ad2d1796744144d739569bb466b307 |
| SHA1 | 42de0164c8cbd9b6c64100de720d2e0c49ebcb77 |
| SHA256 | d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9 |
| SHA512 | 45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9 |
memory/2384-13-0x0000000074E90000-0x000000007543B000-memory.dmp
memory/2384-14-0x00000000009D0000-0x0000000000A10000-memory.dmp
memory/1708-12-0x0000000074E90000-0x000000007543B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
| MD5 | 387937c39ce58e167c8ba732bd92931a |
| SHA1 | d31fb8d416efd34f9b965115edb54917e778f63f |
| SHA256 | b3b40e302cb318abff9736936e3e8e02953aeb8949c686a4e0583880ecfa51cc |
| SHA512 | e9265317d845d61e1cdc81942e1e37caa2ab9af7f6de6396610929bc56860d7f1fea9f39636d89885b417c49a4205fe2b322921997f3ef6040a1286df0d734e8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
| MD5 | 93b3ed8bc82c8b93c3aaa87b9d984542 |
| SHA1 | 1b01bbe3f7aef5a5114b3142c42cd4d9f694928b |
| SHA256 | 366b5a32bc0bec7ce9b4e97179ea7062ed9b20e9f04807b3fb44790757019d24 |
| SHA512 | 75d176a38fc1f54e14ec97aa1daf7b753e4a89c189df2777d0304f68835370896757646cd49cfbc7796437559cb18fe88135807e6bd2d3f8a37c2b9c65c8d781 |
memory/2384-20-0x0000000074E90000-0x000000007543B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 05:48
Reported
2024-01-25 05:51
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" | C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| N/A | 172.20.6.206:1992 | tcp | |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| N/A | 172.20.6.206:1992 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp | |
| N/A | 172.20.6.206:1992 | tcp |
Files
memory/3924-0-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/3924-1-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/3924-2-0x00000000014A0000-0x00000000014B0000-memory.dmp
memory/3924-5-0x0000000075490000-0x0000000075A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | a5ad2d1796744144d739569bb466b307 |
| SHA1 | 42de0164c8cbd9b6c64100de720d2e0c49ebcb77 |
| SHA256 | d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9 |
| SHA512 | 45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9 |
memory/4900-14-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/4900-15-0x00000000011C0000-0x00000000011D0000-memory.dmp
memory/4900-17-0x0000000075490000-0x0000000075A41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
| MD5 | 371e9f5c5222743275e228f1b3d27fb1 |
| SHA1 | 31b0a7ada0ee8c593d1f7d4b8fa3f830566a5fd6 |
| SHA256 | 5684b6a81a92bef5cd5eb049a0e905dc99e7db95d907443f182614b9b48602f1 |
| SHA512 | 14f203f243e9c69a3b3e1beaf8599d5cd0f18627e446a3beac78cb611bb4259ffb4c47ece4da3d3ff4ee1dd01aa379b081a3548844070d3b7312f56d22ffc78f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
| MD5 | a0e21c3cda955b529c05da3ebc737559 |
| SHA1 | 7cede9bd6a34b2ddb326c3733057cf76b11e3d45 |
| SHA256 | b34c6f792079e84046ce8c2049f6f233e6c235f025770a028dfc8d57bc54af8c |
| SHA512 | e37365ed423d523ca996460ab7adab0a19923906413d22cccde2f1ce144ea25deef5e1a2a6d3cc8580952ebd58438f36f5eb2cb82348e1e3d126fa248d5fc18a |
memory/3924-19-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/4900-24-0x0000000075490000-0x0000000075A41000-memory.dmp
memory/4900-25-0x00000000011C0000-0x00000000011D0000-memory.dmp
memory/4900-26-0x0000000075490000-0x0000000075A41000-memory.dmp