Malware Analysis Report

2025-01-22 13:16

Sample ID 240716-1vrm6svdqh
Target winmod.exe
SHA256 1ef86b1cfa7e45f6602e24a18e76d5e556f781abb0acf18f92eaca95bb53e25d
Tags
njrat evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ef86b1cfa7e45f6602e24a18e76d5e556f781abb0acf18f92eaca95bb53e25d

Threat Level: Known bad

The file winmod.exe was found to be: Known bad.

Malicious Activity Summary

njrat evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 21:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 21:58

Reported

2024-07-16 22:08

Platform

win10v2004-20240709-en

Max time kernel

600s

Max time network

586s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\winmod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Windows\WindowsHealthChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WindowsHealthChecker.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2648 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2648 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2648 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 956 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 956 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 2648 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2908 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3852 wrote to memory of 2132 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 3852 wrote to memory of 2132 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 3852 wrote to memory of 2132 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\winmod.exe

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakecmd.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\WindowsHealthChecker.exe

"C:\Windows\WindowsHealthChecker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E8F.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\WindowsHealthChecker.exe" "WindowsHealthChecker.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FR 88.168.211.65:6522 tcp
US 8.8.8.8:53 65.211.168.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

memory/2648-0-0x00007FFD378A3000-0x00007FFD378A5000-memory.dmp

memory/2648-1-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

MD5 b075f9e4015e2f43154b9903d9ec5fb5
SHA1 0717b04115360a6d1d4451c90d0f6b0f781d249f
SHA256 103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6
SHA512 4f71a17234a0078733bd61fa80bd3463341dda0c1ac31ac9c496efd528ecd8657cf206160d6b9205e4fab6aa3b10fdd8f1764bc574223c63a38213735fd3939b

memory/2648-7-0x00007FFD378A0000-0x00007FFD38361000-memory.dmp

memory/956-14-0x0000000074A92000-0x0000000074A93000-memory.dmp

memory/956-15-0x0000000074A90000-0x0000000075041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fakecmd.bat

MD5 f96d7ee1c050f915b080bd319564c817
SHA1 6f095907e07e178f9063a01020caf2921d982c7a
SHA256 5d92d1af825219719e4009d70a50a63a8ed5e51e2faf79e2e83bc212e55cad21
SHA512 69e2dbafd04bbae273c957bb6a2afbfc9910a45c3223a00e88975a42c24ee544458f51a43eb39cd12af15cc852779d3c8ede83331b0a159086bc849e69c031bd

memory/956-17-0x0000000074A90000-0x0000000075041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02vvr1wk.dfc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4708-27-0x0000022BC6470000-0x0000022BC6492000-memory.dmp

memory/4708-28-0x0000022BC6740000-0x0000022BC6784000-memory.dmp

memory/4708-29-0x0000022BC6BB0000-0x0000022BC6C26000-memory.dmp

memory/956-39-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/2648-43-0x00007FFD378A0000-0x00007FFD38361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1E8F.tmp.bat

MD5 8cff3aae0d66b9f7f96c72ca739e4265
SHA1 2036d44488fcd3ebf6c152d24ac33c77a71c0500
SHA256 07a636a72068ed19b8c89997d227fd335a324da64b6d97a77b38e6a9b9a5a1cb
SHA512 acf0abd33354afa1dc3c8e72a40172ac57e46cbc24cfade8611e9eae533453884ee5bf751b160eecec26777a60f0ea53c237d74dee56d90ab047e8d9b8453aef

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 21:58

Reported

2024-07-16 22:08

Platform

win11-20240709-en

Max time kernel

600s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Windows\WindowsHealthChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WindowsHealthChecker.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 5612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 5612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 5612 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 5612 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 724 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 724 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5612 wrote to memory of 6024 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 5612 wrote to memory of 6024 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 6024 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 6024 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2376 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 2376 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 2376 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 1568 wrote to memory of 2924 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 1568 wrote to memory of 2924 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 1568 wrote to memory of 2924 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\winmod.exe

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakecmd.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4A8.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\WindowsHealthChecker.exe

"C:\Windows\WindowsHealthChecker.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\WindowsHealthChecker.exe" "WindowsHealthChecker.exe" ENABLE

Network

Country Destination Domain Proto
FR 88.168.211.65:6522 tcp
US 8.8.8.8:53 65.211.168.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/5612-0-0x00007FF8E5DB3000-0x00007FF8E5DB5000-memory.dmp

memory/5612-1-0x0000000000080000-0x0000000000096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

MD5 b075f9e4015e2f43154b9903d9ec5fb5
SHA1 0717b04115360a6d1d4451c90d0f6b0f781d249f
SHA256 103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6
SHA512 4f71a17234a0078733bd61fa80bd3463341dda0c1ac31ac9c496efd528ecd8657cf206160d6b9205e4fab6aa3b10fdd8f1764bc574223c63a38213735fd3939b

memory/5612-7-0x00007FF8E5DB0000-0x00007FF8E6872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fakecmd.bat

MD5 f96d7ee1c050f915b080bd319564c817
SHA1 6f095907e07e178f9063a01020caf2921d982c7a
SHA256 5d92d1af825219719e4009d70a50a63a8ed5e51e2faf79e2e83bc212e55cad21
SHA512 69e2dbafd04bbae273c957bb6a2afbfc9910a45c3223a00e88975a42c24ee544458f51a43eb39cd12af15cc852779d3c8ede83331b0a159086bc849e69c031bd

memory/1584-15-0x00007FF8E5DB0000-0x00007FF8E6872000-memory.dmp

memory/1584-21-0x00000291B46F0000-0x00000291B4712000-memory.dmp

memory/1584-25-0x00007FF8E5DB0000-0x00007FF8E6872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r33n4bw5.qyu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1584-26-0x00007FF8E5DB0000-0x00007FF8E6872000-memory.dmp

memory/2376-27-0x0000000001550000-0x0000000001560000-memory.dmp

memory/1584-28-0x00000291B47E0000-0x00000291B4826000-memory.dmp

memory/5612-32-0x00007FF8E5DB0000-0x00007FF8E6872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC4A8.tmp.bat

MD5 2c105f681ae1a0e723950cc3e2a82493
SHA1 49b71cb4136f5dd41ad5e8d80dffd45fba3151ff
SHA256 61b1529891bd415a2e677a3c0221f9ba298c9bce49748580b17b610dc8c30cfc
SHA512 e5c2d8c7e060a985beaecf002e838e11aa2689e7eced7eab5d2e7aa510d4a76d581d1539018e14871758459899e6b038617b54af69344b141053faa1fd76bcf0

memory/1584-44-0x00007FF8E5DB0000-0x00007FF8E6872000-memory.dmp