Analysis Overview
SHA256
71b39da7c5a7414f5308daae6f98208d1c1636e69dbaa51d09c8ebc84b180c38
Threat Level: Known bad
The file وزنية زاحفههه.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops startup file
Adds Run key to start application
AutoIT Executable
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 23:58
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 23:58
Reported
2024-06-23 00:01
Platform
win7-20240611-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe
"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp/Client.exe
C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
C:\Users\Admin\AppData\Local\Temp/EqualizerAPO32-1.3.2.exe
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
| MD5 | 340537574c05238b1bec13fe9f9e80b0 |
| SHA1 | 4d77a3a81c4272073d1ca80267e5dac1316fc421 |
| SHA256 | 580d8e5253a6610f8089d5a60597620c6ecb619f7bbb4d28ed75393342fbb708 |
| SHA512 | c283d4096cf6c1713fb2a6e4c56c7d76093e167736ff84f62d437512ed2161a01aaab916b80b62486b29d50abd525b518b6b3f6de99399db77320a50dabd2901 |
\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 0400e17a5bdb1fa5877c12d609dd15f8 |
| SHA1 | 0e2af75fd16b9d2902a69c94a6eaa1cef4565f64 |
| SHA256 | 99b91723fd7afa33700fb055e3dd505af43957841774d35945271d92c3388e6b |
| SHA512 | 6fa737ef7ec683b9dae18a9f150555f1dc5da6cf0e9c74b8b3aca58055539a8f5ded243bee14f2247712373213c1da5aee9d7c6149791fc7950ad9293d0eed9a |
memory/2272-20-0x0000000074B01000-0x0000000074B02000-memory.dmp
memory/2272-22-0x0000000074B00000-0x00000000750AB000-memory.dmp
memory/2272-23-0x0000000074B00000-0x00000000750AB000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso82E8.tmp\NSISpcre.dll
| MD5 | bfe060c22b44914e05d3f5367de6c9fe |
| SHA1 | 24c72b0b57b0066a5e8b235104a0502400e44b9a |
| SHA256 | 43041f8540dccbc33268bfbef53037d17170b037f6393e77c21429f303ae828f |
| SHA512 | ad3a23edd8d62b198e4a2ccf03f6d607dee41fa23fd6f9dfabdc5ee424b5e22a6e00b8a28e50fe177829a2cc25ce05484423e97c682036fc5146e2adf560bc44 |
memory/2272-40-0x0000000074B00000-0x00000000750AB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 23:58
Reported
2024-06-23 00:01
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
51s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe
"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp/Client.exe
C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exe
C:\Users\Admin\AppData\Local\Temp/EqualizerAPO32-1.3.2.exe
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp | |
| N/A | 127.0.0.1:6522 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\aut4622.tmp
| MD5 | 340537574c05238b1bec13fe9f9e80b0 |
| SHA1 | 4d77a3a81c4272073d1ca80267e5dac1316fc421 |
| SHA256 | 580d8e5253a6610f8089d5a60597620c6ecb619f7bbb4d28ed75393342fbb708 |
| SHA512 | c283d4096cf6c1713fb2a6e4c56c7d76093e167736ff84f62d437512ed2161a01aaab916b80b62486b29d50abd525b518b6b3f6de99399db77320a50dabd2901 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 0400e17a5bdb1fa5877c12d609dd15f8 |
| SHA1 | 0e2af75fd16b9d2902a69c94a6eaa1cef4565f64 |
| SHA256 | 99b91723fd7afa33700fb055e3dd505af43957841774d35945271d92c3388e6b |
| SHA512 | 6fa737ef7ec683b9dae18a9f150555f1dc5da6cf0e9c74b8b3aca58055539a8f5ded243bee14f2247712373213c1da5aee9d7c6149791fc7950ad9293d0eed9a |
memory/4076-17-0x0000000073CF2000-0x0000000073CF3000-memory.dmp
memory/4076-18-0x0000000073CF0000-0x00000000742A1000-memory.dmp
memory/4076-19-0x0000000073CF0000-0x00000000742A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsg4AC6.tmp\NSISpcre.dll
| MD5 | bfe060c22b44914e05d3f5367de6c9fe |
| SHA1 | 24c72b0b57b0066a5e8b235104a0502400e44b9a |
| SHA256 | 43041f8540dccbc33268bfbef53037d17170b037f6393e77c21429f303ae828f |
| SHA512 | ad3a23edd8d62b198e4a2ccf03f6d607dee41fa23fd6f9dfabdc5ee424b5e22a6e00b8a28e50fe177829a2cc25ce05484423e97c682036fc5146e2adf560bc44 |
memory/4076-34-0x0000000073CF0000-0x00000000742A1000-memory.dmp