Analysis Overview
SHA256
4fcd6f2fc384fccc0040ad53e9c7b53ad99f00307f048c78a89dfac7edc08501
Threat Level: Known bad
The file 44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Njrat family
Modifies Windows Firewall
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 12:26
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 12:26
Reported
2024-06-18 12:28
Platform
win7-20240611-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp |
Files
memory/1572-0-0x0000000074C61000-0x0000000074C62000-memory.dmp
memory/1572-1-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/1572-2-0x0000000074C60000-0x000000007520B000-memory.dmp
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 44fb09efceb3e81150181ad3ecbeed20 |
| SHA1 | 512d19f550c4115e05b4255ac773f0c2189154e4 |
| SHA256 | 4fcd6f2fc384fccc0040ad53e9c7b53ad99f00307f048c78a89dfac7edc08501 |
| SHA512 | 69d1e2a3b18dcd9d8d4a901aac098caaefdddc2ed40a63aaaa94e4ac1a86d7fe5ced69c964f974410079e2d91deea13fdf54cbdba89e4c3ae952aea1902916d3 |
memory/1572-10-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/1216-11-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/1216-12-0x0000000074C60000-0x000000007520B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 12:26
Reported
2024-06-18 12:28
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2604 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2604 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2604 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2572 wrote to memory of 4060 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2572 wrote to memory of 4060 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2572 wrote to memory of 4060 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44fb09efceb3e81150181ad3ecbeed20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.61.62.23.in-addr.arpa | udp |
| N/A | 10.10.1.11:5552 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| N/A | 10.10.1.11:5552 | tcp | |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
Files
memory/2604-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp
memory/2604-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/2604-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 44fb09efceb3e81150181ad3ecbeed20 |
| SHA1 | 512d19f550c4115e05b4255ac773f0c2189154e4 |
| SHA256 | 4fcd6f2fc384fccc0040ad53e9c7b53ad99f00307f048c78a89dfac7edc08501 |
| SHA512 | 69d1e2a3b18dcd9d8d4a901aac098caaefdddc2ed40a63aaaa94e4ac1a86d7fe5ced69c964f974410079e2d91deea13fdf54cbdba89e4c3ae952aea1902916d3 |
memory/2604-12-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/2572-13-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/2572-14-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/2572-15-0x0000000074DF0000-0x00000000753A1000-memory.dmp