Analysis Overview
SHA256
582d37ba8e276a3b0c302e3b832c5694f73a4c464198b9880849f53ecba46a1e
Threat Level: Known bad
The file why.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
Detect Umbral payload
njRAT/Bladabindi
Umbral
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 21:46
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 21:46
Reported
2024-06-29 22:16
Platform
win11-20240508-en
Max time kernel
1792s
Max time network
1799s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\54e52a90f3e74e7f87398aee7b5e0aea.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\25a8db45053e4be19e65afc0ca634a55.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54e52a90f3e74e7f87398aee7b5e0aea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25a8db45053e4be19e65afc0ca634a55.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\why.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\why.exe
"C:\Users\Admin\AppData\Local\Temp\why.exe"
C:\Users\Admin\AppData\Local\Temp\54e52a90f3e74e7f87398aee7b5e0aea.exe
"C:\Users\Admin\AppData\Local\Temp\54e52a90f3e74e7f87398aee7b5e0aea.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\54e52a90f3e74e7f87398aee7b5e0aea.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\25a8db45053e4be19e65afc0ca634a55.exe
"C:\Users\Admin\AppData\Local\Temp\25a8db45053e4be19e65afc0ca634a55.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25a8db45053e4be19e65afc0ca634a55.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | away-displays.gl.at.ply.gg | udp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
| US | 147.185.221.20:26916 | away-displays.gl.at.ply.gg | tcp |
Files
memory/1256-0-0x0000000074FA1000-0x0000000074FA2000-memory.dmp
memory/1256-1-0x0000000074FA0000-0x0000000075551000-memory.dmp
memory/1256-2-0x0000000074FA0000-0x0000000075551000-memory.dmp
memory/1256-3-0x0000000074FA0000-0x0000000075551000-memory.dmp
memory/1256-4-0x0000000074FA0000-0x0000000075551000-memory.dmp
memory/1256-5-0x0000000074FA0000-0x0000000075551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54e52a90f3e74e7f87398aee7b5e0aea.exe
| MD5 | 5a7312e138d96f277f33e98930e94e0d |
| SHA1 | 21a0a97613c6d75d1779f9d8ac0ac3f4ad4e9420 |
| SHA256 | 31965352ee1b9b8c5a6f3758319806641f5e2f0272f9da39523a55a40c686e82 |
| SHA512 | 43192a21c3a35451ef441931b87377b785c2bdab5f52f9943e097615dee30d5ac83a00410a4d7515bf138ff5e5c16cd44048afbf2dbc98a0fd67348260ca6db5 |
memory/2388-17-0x00007FF994853000-0x00007FF994855000-memory.dmp
memory/2388-18-0x000002D29C2B0000-0x000002D29C2F0000-memory.dmp
memory/2388-19-0x00007FF994850000-0x00007FF995312000-memory.dmp
memory/5012-20-0x00000266BAC70000-0x00000266BAC92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dv5k4k5f.5sw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
memory/2388-44-0x000002D2B6A70000-0x000002D2B6AE6000-memory.dmp
memory/2388-45-0x000002D2B6AF0000-0x000002D2B6B40000-memory.dmp
memory/2388-46-0x000002D2B6A00000-0x000002D2B6A1E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75750301db717dee0ddce4939072ec41 |
| SHA1 | d4a763f4ced8ff5be9df24e0d6ec676a7a080527 |
| SHA256 | abfcadfc1dab687291dec5402f5472132f4d2460e85a498a37efa5ac9dc09888 |
| SHA512 | e02fbfc783aeb85a16422baf6df381b88415a89a29316695e48c1edb65745ec801759e276803207645d59b81e3ad38f584caad824772035ee6ce46c333f75ce3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7332074ae2b01262736b6fbd9e100dac |
| SHA1 | 22f992165065107cc9417fa4117240d84414a13c |
| SHA256 | baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa |
| SHA512 | 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2 |
memory/2388-80-0x000002D2B6A30000-0x000002D2B6A3A000-memory.dmp
memory/2388-81-0x000002D2B6D00000-0x000002D2B6D12000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10254f48b63b60ae6245903153592e48 |
| SHA1 | 2c300d1c60c50e8896705022bc402c423681f40a |
| SHA256 | b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69 |
| SHA512 | 6a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4 |
memory/2388-98-0x000002D2B6B40000-0x000002D2B6CF3000-memory.dmp
memory/2388-99-0x00007FF994850000-0x00007FF995312000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 058a25b312ffea0ff1cb92e5f61700f3 |
| SHA1 | 8391dae04f8726767497295e1d72f0c3b8c0eb05 |
| SHA256 | aa438b045e4fc715a9d7ea753f7a00b1ecd5b3a83fee4a914ad67924f927ab42 |
| SHA512 | 3a77952a36d49d47586f7751accd06ffc49a12361e4de14c03fd755c31dc21fe5edc0cc9e4052ab4105b58121c8c07802a7fc288874ef11467d41c652ac82739 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fcbfea2bed3d0d2533fe957f0f83e35c |
| SHA1 | 70ca46e89e31d8918c482848cd566090aaffd910 |
| SHA256 | e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38 |
| SHA512 | d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f5f260adddac5f80eb2d1c0784a2e24 |
| SHA1 | 8719894ff1664202f9e228c55f94d62dcaf12cce |
| SHA256 | 7b41d9c769cb20c7ad73e7afa44f964fd7fe66be45d2b0a2ef438dc985433202 |
| SHA512 | aa4a23298fda2e7bd6168bcb25b4a215616bccf73705e3566b6b576bf33bb9336682ace3354643332c940c5ee02eef59682a77447ba2f94e97ae0b4722ef0ba7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ac871344dc49ae49f13f0f88acb4868 |
| SHA1 | 5a073862375c7e79255bb0eab32c635b57a77f98 |
| SHA256 | 688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37 |
| SHA512 | ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60a84ea8f3888e51bb0fe4856926a639 |
| SHA1 | 43848b5a831f8fe7623694b36b17554b83770269 |
| SHA256 | 5d219511d1091f4dc52ef6664815bcacf013c76b695bf2195aa439a6cc431504 |
| SHA512 | f6381deedc9612c96914173d948bd601192256c1b65a6b6be3c6664de84df64fb8740fa0205846e0380305bf5442e52991d134ff94b8edc899775befcc4a86ba |
memory/972-180-0x000001BDB3FA0000-0x000001BDB4153000-memory.dmp
memory/972-184-0x000001BDB3FA0000-0x000001BDB4153000-memory.dmp
memory/1256-185-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/1256-186-0x00000000017D0000-0x00000000017E0000-memory.dmp