Malware Analysis Report

2025-01-22 13:07

Sample ID 240717-cmweds1emr
Target 4e81520a221d951351cac30d3fc04010N.exe
SHA256 4a14d176975457c1743b9bdc212a46a81ecfdeb4a1d10702e678d93a08aa9675
Tags
njrat evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a14d176975457c1743b9bdc212a46a81ecfdeb4a1d10702e678d93a08aa9675

Threat Level: Known bad

The file 4e81520a221d951351cac30d3fc04010N.exe was found to be: Known bad.

Malicious Activity Summary

njrat evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 02:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 02:12

Reported

2024-07-17 02:14

Platform

win7-20240705-en

Max time kernel

119s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.dll N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.dll N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe C:\Users\Admin\AppData\Local\Temp\0.dll
PID 2036 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe C:\Users\Admin\AppData\Local\Temp\0.dll
PID 2036 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe C:\Users\Admin\AppData\Local\Temp\0.dll
PID 2036 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe C:\Users\Admin\AppData\Local\Temp\0.dll
PID 2064 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0.dll C:\Users\Admin\AppData\Roaming\WindowsServices.exe
PID 2064 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0.dll C:\Users\Admin\AppData\Roaming\WindowsServices.exe
PID 2064 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0.dll C:\Users\Admin\AppData\Roaming\WindowsServices.exe
PID 2064 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0.dll C:\Users\Admin\AppData\Roaming\WindowsServices.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe C:\Windows\SysWOW64\netsh.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe C:\Windows\SysWOW64\netsh.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe C:\Windows\SysWOW64\netsh.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe

"C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe"

C:\Users\Admin\AppData\Local\Temp\0.dll

C:\Users\Admin\AppData\Local\Temp\0.dll

C:\Users\Admin\AppData\Roaming\WindowsServices.exe

"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 organizations-ears.gl.at.ply.gg udp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\0.dll

MD5 ec1df996ce4595fefc6721cb08196f40
SHA1 303d1c0b53523f1b9875e364467989d3d1a80d52
SHA256 45821bd67ff13aedf5d2fc0f7aecc5a8cd009980b5e7a8b3a9a731a23580b78c
SHA512 4f4bb288fa7748125ae7ac009785ab5a7c7e224499ce803fcd92796ce7a751eeca3c9d62906bdf53c5fd88d73e7c040a3969c35b4f4fb1191115a354aa22c2e3

memory/2064-8-0x00000000744A1000-0x00000000744A2000-memory.dmp

memory/2064-9-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2064-10-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2064-20-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 02:12

Reported

2024-07-17 02:14

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0.dll N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.dll N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsServices.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe

"C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe"

C:\Users\Admin\AppData\Local\Temp\0.dll

C:\Users\Admin\AppData\Local\Temp\0.dll

C:\Users\Admin\AppData\Roaming\WindowsServices.exe

"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 organizations-ears.gl.at.ply.gg udp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
NL 52.111.243.29:443 tcp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 147.185.221.19:7000 organizations-ears.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\0.dll

MD5 ec1df996ce4595fefc6721cb08196f40
SHA1 303d1c0b53523f1b9875e364467989d3d1a80d52
SHA256 45821bd67ff13aedf5d2fc0f7aecc5a8cd009980b5e7a8b3a9a731a23580b78c
SHA512 4f4bb288fa7748125ae7ac009785ab5a7c7e224499ce803fcd92796ce7a751eeca3c9d62906bdf53c5fd88d73e7c040a3969c35b4f4fb1191115a354aa22c2e3

memory/4804-6-0x0000000074D92000-0x0000000074D93000-memory.dmp

memory/4804-7-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/4804-8-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/4804-20-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/4428-21-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/4428-22-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/4428-23-0x0000000074D90000-0x0000000075341000-memory.dmp