Analysis Overview
SHA256
cd35af0a0c71c382760409b7b2343c83857d89af55a0b365b72962f0f9c9a400
Threat Level: Known bad
The file WTLDR.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 22:04
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 22:04
Reported
2024-06-23 22:06
Platform
win7-20240611-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9300538b8eb52046b545ea0eefc265d2.exe | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9300538b8eb52046b545ea0eefc265d2.exe | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WTLDR.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\9300538b8eb52046b545ea0eefc265d2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_protect.exe\" .." | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9300538b8eb52046b545ea0eefc265d2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_protect.exe\" .." | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WTLDR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WTLDR.exe
"C:\Users\Admin\AppData\Local\Temp\WTLDR.exe"
C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe
"C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe" "chrome_protect.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe"
C:\Windows\SysWOW64\PING.EXE
ping 0 -n 2
Network
| Country | Destination | Domain | Proto |
| FR | 88.168.211.65:6522 | tcp |
Files
memory/2020-0-0x0000000074651000-0x0000000074652000-memory.dmp
memory/2020-2-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2020-1-0x0000000074650000-0x0000000074BFB000-memory.dmp
\Users\Admin\AppData\Local\Temp\chrome_protect.exe
| MD5 | 7a94013c17dc892cea16fbae38646e43 |
| SHA1 | 8cf54c2ac961dd5c82cb3b07c3de317847aa94bb |
| SHA256 | cd35af0a0c71c382760409b7b2343c83857d89af55a0b365b72962f0f9c9a400 |
| SHA512 | 03df47db51270ca87172620e5475ce7a99e1fa1bd61e1956e4a0b28792d145b4e30d5b0d7b0737ea3ed331cecaecde78641b4828b1b9425153b1f9ac3de6f34a |
memory/2064-12-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2020-11-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2064-10-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2064-13-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2064-17-0x0000000074650000-0x0000000074BFB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 22:04
Reported
2024-06-23 22:06
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WTLDR.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9300538b8eb52046b545ea0eefc265d2.exe | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9300538b8eb52046b545ea0eefc265d2.exe | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9300538b8eb52046b545ea0eefc265d2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_protect.exe\" .." | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9300538b8eb52046b545ea0eefc265d2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome_protect.exe\" .." | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WTLDR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WTLDR.exe
"C:\Users\Admin\AppData\Local\Temp\WTLDR.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe
"C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe" "chrome_protect.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe"
C:\Windows\SysWOW64\PING.EXE
ping 0 -n 2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FR | 88.168.211.65:6522 | tcp | |
| US | 8.8.8.8:53 | 65.211.168.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
memory/228-0-0x0000000074622000-0x0000000074623000-memory.dmp
memory/228-1-0x0000000074620000-0x0000000074BD1000-memory.dmp
memory/228-2-0x0000000074620000-0x0000000074BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome_protect.exe
| MD5 | 7a94013c17dc892cea16fbae38646e43 |
| SHA1 | 8cf54c2ac961dd5c82cb3b07c3de317847aa94bb |
| SHA256 | cd35af0a0c71c382760409b7b2343c83857d89af55a0b365b72962f0f9c9a400 |
| SHA512 | 03df47db51270ca87172620e5475ce7a99e1fa1bd61e1956e4a0b28792d145b4e30d5b0d7b0737ea3ed331cecaecde78641b4828b1b9425153b1f9ac3de6f34a |
memory/228-12-0x0000000074620000-0x0000000074BD1000-memory.dmp
memory/3056-13-0x0000000074620000-0x0000000074BD1000-memory.dmp
memory/3056-14-0x0000000074620000-0x0000000074BD1000-memory.dmp
memory/3056-16-0x0000000074620000-0x0000000074BD1000-memory.dmp
memory/3056-17-0x0000000074620000-0x0000000074BD1000-memory.dmp
memory/3056-21-0x0000000074620000-0x0000000074BD1000-memory.dmp