Analysis Overview
SHA256
ecb17944364ab7bb63b73cbdd453172605e9d448427af2944df9553f4c2648f2
Threat Level: Known bad
The file 75829d58796c1d1262efc0cc684d7088 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Drops startup file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 21:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 21:01
Reported
2024-01-25 21:04
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3596 set thread context of 3680 | N/A | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe
"C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe"
C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe
"C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"
C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\windows.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/3596-0-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/3596-1-0x0000000000400000-0x0000000000538000-memory.dmp
memory/3596-2-0x0000000004A30000-0x0000000004ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe
| MD5 | 186f3d364a450fd078fa144475612414 |
| SHA1 | 5f546a31888baf57ff7504386f2931224a3a59f5 |
| SHA256 | 68dad09a0a45502c123078cdae18a0c06ef0c954ac0a494225122b2bd340c0d7 |
| SHA512 | 7937041bda16ad9ee58b5db66e575842cf86337a6a619f927dee050e8801f48914768af6816fda4df4703d946df540d5fca781b4071563068225d20d01dfc302 |
memory/2384-14-0x0000000070DB0000-0x0000000071361000-memory.dmp
memory/2384-15-0x0000000070DB0000-0x0000000071361000-memory.dmp
memory/2384-16-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/3596-17-0x0000000004B10000-0x0000000004B20000-memory.dmp
memory/3596-18-0x00000000056F0000-0x0000000005708000-memory.dmp
memory/3680-19-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3596-21-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/3680-22-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/3680-25-0x0000000006230000-0x00000000067D4000-memory.dmp
memory/2384-26-0x00000000017D0000-0x00000000017E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windows.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/2500-40-0x0000000000440000-0x0000000000452000-memory.dmp
memory/3680-39-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/2500-41-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/2500-43-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/2384-44-0x0000000070DB0000-0x0000000071361000-memory.dmp
memory/2384-45-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/2384-46-0x00000000017D0000-0x00000000017E0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 21:01
Reported
2024-01-25 21:03
Platform
win7-20231215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
njRAT/Bladabindi
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2144 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe
"C:\Users\Admin\AppData\Local\Temp\75829d58796c1d1262efc0cc684d7088.exe"
C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe
"C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"
C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\windows.exe"
Network
Files
memory/2144-0-0x0000000000400000-0x0000000000538000-memory.dmp
memory/2144-1-0x0000000074A00000-0x00000000750EE000-memory.dmp
\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe
| MD5 | 186f3d364a450fd078fa144475612414 |
| SHA1 | 5f546a31888baf57ff7504386f2931224a3a59f5 |
| SHA256 | 68dad09a0a45502c123078cdae18a0c06ef0c954ac0a494225122b2bd340c0d7 |
| SHA512 | 7937041bda16ad9ee58b5db66e575842cf86337a6a619f927dee050e8801f48914768af6816fda4df4703d946df540d5fca781b4071563068225d20d01dfc302 |
C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe
| MD5 | 60046070569a82ee1591e2ba69296cdf |
| SHA1 | 0f37d2247aae985c69471752f15786fe29eaccba |
| SHA256 | 194f155bf62ee4121820f4ebd44e6f02d8f9d3babef27e5dd07c1cbee337c634 |
| SHA512 | fb579c4c7a64a93a086775f8f55099387fa5d68f00e2804a6dd45b3a9b85f49ff50ad50d6bd5372d6c1d087627defa1f346178360820951800cb90f30a8b25aa |
C:\Users\Admin\AppData\Local\Temp\DDOS PANEL CRACKED V.9.exe
| MD5 | 7aac724cab78c9e8d83a74fc671780df |
| SHA1 | abfed15dd085a158eb34deed67bcd13391dea285 |
| SHA256 | 5336250fdecac52b5b503bb2a6ee1b85d01626d4969997c11044c5e20a08e7d5 |
| SHA512 | b869683a2a311ecd18965dd3faae4c2ae6f596ea192c29661b792e53ffa3f305f9c479bce944e050f9026674f547a8b2cf7763ab439566c3faeec05028bbab6f |
memory/2144-10-0x0000000004C00000-0x0000000004C40000-memory.dmp
memory/2476-11-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/2476-12-0x0000000070E40000-0x00000000713EB000-memory.dmp
memory/2144-9-0x0000000005000000-0x0000000005018000-memory.dmp
memory/2476-14-0x0000000070E40000-0x00000000713EB000-memory.dmp
memory/2704-13-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2704-24-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2704-26-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2704-29-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2144-27-0x0000000074A00000-0x00000000750EE000-memory.dmp
memory/2704-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2704-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2704-18-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2704-16-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2476-32-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/2476-33-0x0000000000A50000-0x0000000000A90000-memory.dmp
\Users\Admin\AppData\Local\Temp\windows.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2604-41-0x00000000003B0000-0x00000000003C2000-memory.dmp
memory/2604-42-0x0000000073700000-0x0000000073DEE000-memory.dmp
memory/2476-43-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/2476-44-0x0000000070E40000-0x00000000713EB000-memory.dmp
memory/2476-45-0x0000000070E40000-0x00000000713EB000-memory.dmp
memory/2476-46-0x0000000000A50000-0x0000000000A90000-memory.dmp