Analysis Overview
SHA256
88e55fb611883d7d0e634300c5d76a0f88720fb6961be97c5f419c543ea66299
Threat Level: Known bad
The file 402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 11:42
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 11:42
Reported
2024-06-18 11:44
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe" | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2764 set thread context of 1444 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
| PID 2764 set thread context of 4624 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
| PID 2764 set thread context of 4436 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 80
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 56
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
Files
memory/2572-0-0x0000000074B12000-0x0000000074B13000-memory.dmp
memory/2572-1-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/2572-2-0x0000000074B10000-0x00000000750C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | d611259813427c1e380f165b748539f9 |
| SHA1 | 98fdc0637455a554063ce52114e321d673ceb115 |
| SHA256 | 1c5de30f8f2f36a66cbee14cdd475c4764e41b275a5a88b4c22f67f6b011dcbf |
| SHA512 | 49d1826d44310ea50abf718249562994c7f4fea9a5358b3cee9d8e509d2ca7becc6e66f99da8f4f5dd42922d89d8ba5336b783bf85c093eab59db39a06460c52 |
memory/2764-18-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/2572-17-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/2764-19-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-20-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/4624-22-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2764-28-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-29-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-30-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-31-0x0000000074B10000-0x00000000750C1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 11:42
Reported
2024-06-18 11:44
Platform
win7-20240508-en
Max time kernel
146s
Max time network
137s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe" | C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1932 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\402c6b57b315921e335975a5572e1130_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| SE | 23.34.233.128:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 160.177.58.73:10000 | doddyfire.linkpc.net | tcp |
Files
memory/2392-0-0x0000000074FB1000-0x0000000074FB2000-memory.dmp
memory/2392-1-0x0000000074FB0000-0x000000007555B000-memory.dmp
memory/2392-2-0x0000000074FB0000-0x000000007555B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1096.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar10A9.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1239.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 165d8a81803b608ab18b24701cdbfb72 |
| SHA1 | 3178ad9b6f9511a585eaf7e9a69cbb5be0ccfdc7 |
| SHA256 | 05d7c9cd820468e8972532f0dc879d30ded76032efa4eea6bc1dde38d20a71ac |
| SHA512 | bb855d9397e0542eface2e9994dea929115d4dbe5d40aa5496b308d88f8c6c2e806009901efe1cec57086a1d8f48499667d29ca1460269f6c27ddda467b4d9bb |
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 6004d22a2681b983d9336c729c0762e2 |
| SHA1 | 568fd531d0d02d210ca7d4a8ba0acca6d0cf9977 |
| SHA256 | 482bf004cd48ca9927d6cbc1221889ee0fe678c7f405524db3e9a143a70c3c47 |
| SHA512 | f7fc6c64f3e5d94019dbb172110d2a2c9f5dad68a6db181b7f0afa377500a6e9f9f8aca66333477f8995a4a311c7271268f06aa400c5ce2960979c8ed3673b9d |
memory/2392-203-0x0000000074FB0000-0x000000007555B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 612aa8b8680a765923d2c3d63929a41a |
| SHA1 | dd2fa75e7159e8980e0f2eae02c0f0f59193de35 |
| SHA256 | 8cd3096e1f832e479e3761b32e0ad2c8110459895d3870bbc7f3744d54a30877 |
| SHA512 | 96b3338055f716d088a9a6b86c199f2578244a41b0df116f6ca2da76409997ab84944bdedd83241aa3592e50750ae5df2bf4656d571bb7f32dbcefcf1c4e254a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
| MD5 | fc1193c6345ac35188aa3de0f824ceb7 |
| SHA1 | 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f |
| SHA256 | bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200 |
| SHA512 | 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
| MD5 | 741873ab3a6e987963f3c0faf720d2fa |
| SHA1 | e5d2780bd862da17182d57cb42f2cbdf5f8ce51a |
| SHA256 | bf4c5098b1cab770573f9531578431ab4a2bd306ab5314abb8b29c30c9049a95 |
| SHA512 | 730dddb210e6f1f50b39be0b375b282d060663328f222ce26ee610786e8e2164f9fa683596287bf47bcca4ac9b322d19aeb0e153495f34a4c34baf9d3b4e6c6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1976713797cbadd93ec314f50a9ca0b5 |
| SHA1 | 1e438fb8c860469062e4174d608436500cb3a55e |
| SHA256 | b4decff282c180f2cbcd2c4dbfebab0386c6f987b41ed0090eb1642d1bdd8e46 |
| SHA512 | 14692ee344ea5e01cbbd17f81132f2111c5affeda3c52e765a27bd6fcf4b0d8b59546053b56a3b060aee47a236d0496c7ab2a73178f4e668fa69aa2f0cb97570 |
memory/2824-361-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2824-364-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2824-363-0x0000000000400000-0x000000000040C000-memory.dmp