Analysis Overview
SHA256
4a14d176975457c1743b9bdc212a46a81ecfdeb4a1d10702e678d93a08aa9675
Threat Level: Known bad
The file 4e81520a221d951351cac30d3fc04010N.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-17 02:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-17 02:12
Reported
2024-07-17 02:14
Platform
win7-20240705-en
Max time kernel
119s
Max time network
114s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsServices.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0.dll | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe
"C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe"
C:\Users\Admin\AppData\Local\Temp\0.dll
C:\Users\Admin\AppData\Local\Temp\0.dll
C:\Users\Admin\AppData\Roaming\WindowsServices.exe
"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | organizations-ears.gl.at.ply.gg | udp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
Files
\Users\Admin\AppData\Local\Temp\0.dll
| MD5 | ec1df996ce4595fefc6721cb08196f40 |
| SHA1 | 303d1c0b53523f1b9875e364467989d3d1a80d52 |
| SHA256 | 45821bd67ff13aedf5d2fc0f7aecc5a8cd009980b5e7a8b3a9a731a23580b78c |
| SHA512 | 4f4bb288fa7748125ae7ac009785ab5a7c7e224499ce803fcd92796ce7a751eeca3c9d62906bdf53c5fd88d73e7c040a3969c35b4f4fb1191115a354aa22c2e3 |
memory/2064-8-0x00000000744A1000-0x00000000744A2000-memory.dmp
memory/2064-9-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2064-10-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2064-20-0x00000000744A0000-0x0000000074A4B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-17 02:12
Reported
2024-07-17 02:14
Platform
win10v2004-20240709-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0.dll | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsServices.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe
"C:\Users\Admin\AppData\Local\Temp\4e81520a221d951351cac30d3fc04010N.exe"
C:\Users\Admin\AppData\Local\Temp\0.dll
C:\Users\Admin\AppData\Local\Temp\0.dll
C:\Users\Admin\AppData\Roaming\WindowsServices.exe
"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | organizations-ears.gl.at.ply.gg | udp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| NL | 52.111.243.29:443 | tcp | |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.19:7000 | organizations-ears.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\0.dll
| MD5 | ec1df996ce4595fefc6721cb08196f40 |
| SHA1 | 303d1c0b53523f1b9875e364467989d3d1a80d52 |
| SHA256 | 45821bd67ff13aedf5d2fc0f7aecc5a8cd009980b5e7a8b3a9a731a23580b78c |
| SHA512 | 4f4bb288fa7748125ae7ac009785ab5a7c7e224499ce803fcd92796ce7a751eeca3c9d62906bdf53c5fd88d73e7c040a3969c35b4f4fb1191115a354aa22c2e3 |
memory/4804-6-0x0000000074D92000-0x0000000074D93000-memory.dmp
memory/4804-7-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/4804-8-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/4804-20-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/4428-21-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/4428-22-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/4428-23-0x0000000074D90000-0x0000000075341000-memory.dmp