Malware Analysis Report

2025-03-15 06:07

Sample ID 240726-mb3z7svdkb
Target Payload.exe
SHA256 50dc05f3579090555c00dc10578afbba9e4c5317c088b3dcaa908fddcddbbf81
Tags
njrat discovery trojan evasion victim
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50dc05f3579090555c00dc10578afbba9e4c5317c088b3dcaa908fddcddbbf81

Threat Level: Known bad

The file Payload.exe was found to be: Known bad.

Malicious Activity Summary

njrat discovery trojan evasion victim

njRAT/Bladabindi

Njrat family

Executes dropped EXE

Resource Forking

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 10:18

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:21

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Signatures

njRAT/Bladabindi

trojan njrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 le-pencil.gl.at.ply.gg udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp

Files

memory/964-0-0x0000000074871000-0x0000000074872000-memory.dmp

memory/964-1-0x0000000074870000-0x0000000074E1B000-memory.dmp

memory/964-2-0x0000000074870000-0x0000000074E1B000-memory.dmp

memory/964-3-0x0000000074870000-0x0000000074E1B000-memory.dmp

memory/964-4-0x0000000074870000-0x0000000074E1B000-memory.dmp

memory/964-5-0x0000000074870000-0x0000000074E1B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

android-x64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:21

Platform

macos-20240711.1-en

Max time kernel

98s

Max time network

150s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Payload.exe]

/bin/zsh

[/bin/zsh -c /Users/run/Payload.exe]

/Users/run/Payload.exe

[/Users/run/Payload.exe]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 35.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 3.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 cds.apple.com udp
GB 104.82.128.95:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.18.109.84:443 help.apple.com tcp
GB 2.18.109.84:443 help.apple.com tcp
US 8.8.8.8:53 18-courier.push.apple.com udp
US 8.8.8.8:53 44.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 24.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 20-courier.push.apple.com udp
US 8.8.8.8:53 27.courier-push-apple.com.akadns.net udp
GB 17.57.146.13:5223 20-courier.push.apple.com tcp
GB 17.57.146.11:5223 20-courier.push.apple.com tcp
GB 17.57.146.10:5223 20-courier.push.apple.com tcp
US 8.8.8.8:53 36.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 21-courier.push.apple.com udp
US 8.8.8.8:53 23.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 6.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 33-courier.push.apple.com udp
US 8.8.8.8:53 4-courier.push.apple.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 37.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 46-courier.push.apple.com udp
US 8.8.8.8:53 47.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 10-courier.push.apple.com udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:21

Platform

win11-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Signatures

njRAT/Bladabindi

trojan njrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 le-pencil.gl.at.ply.gg udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp

Files

memory/844-0-0x0000000074DB1000-0x0000000074DB2000-memory.dmp

memory/844-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/844-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/844-3-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/844-4-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/844-5-0x0000000074DB0000-0x0000000075361000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

android-33-x64-arm64-20240624-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.42:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:21

Platform

macos-20240711.1-en

Max time kernel

118s

Max time network

152s

Command Line

[xpcproxy com.oracle.java.Java-Updater]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.oracle.java.Java-Updater]

/usr/libexec/xpcproxy

[xpcproxy com.apple.gkreport]

/usr/libexec/gkreport

[/usr/libexec/gkreport]

/usr/libexec/xpcproxy

[xpcproxy com.apple.DiagnosticReportCleanup.plist]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemstats.daily]

/usr/libexec/xpcproxy

[xpcproxy com.apple.appleseed.seedusaged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged

[/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Payload.exe]

/bin/zsh

[/bin/zsh -c /Users/run/Payload.exe]

/Users/run/Payload.exe

[/Users/run/Payload.exe]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 35-courier.push.apple.com udp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 7-courier.push.apple.com udp
US 8.8.8.8:53 24-courier.push.apple.com udp
GB 17.57.146.155:5223 24-courier.push.apple.com tcp
US 8.8.8.8:53 38.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 11-courier.push.apple.com udp
US 8.8.8.8:53 cds.apple.com udp
GB 104.82.128.95:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.18.109.84:443 help.apple.com tcp
GB 2.18.109.84:443 help.apple.com tcp
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 0-courier.push.apple.com udp
US 8.8.8.8:53 43.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 16.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 26-courier.push.apple.com udp
US 8.8.8.8:53 7.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 14.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 4.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 21-courier.push.apple.com udp
US 8.8.8.8:53 34.courier-push-apple.com.akadns.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 6-courier.push.apple.com udp
US 8.8.8.8:53 48.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 44.courier-push-apple.com.akadns.net udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

debian12-armhf-20240418-en

Max time kernel

0s

Command Line

[/tmp/Payload.exe]

Signatures

N/A

Processes

/tmp/Payload.exe

[/tmp/Payload.exe]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/Payload.exe]

Signatures

N/A

Processes

/tmp/Payload.exe

[/tmp/Payload.exe]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:21

Platform

win10-20240404-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1388

C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe

"C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3e0

Network

Country Destination Domain Proto
US 8.8.8.8:53 le-pencil.gl.at.ply.gg udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 164.117.19.2.in-addr.arpa udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2820-0-0x0000000073F21000-0x0000000073F22000-memory.dmp

memory/2820-1-0x0000000073F20000-0x00000000744D0000-memory.dmp

memory/2820-2-0x0000000073F20000-0x00000000744D0000-memory.dmp

memory/2820-7-0x0000000073F20000-0x00000000744D0000-memory.dmp

memory/2820-8-0x0000000073F20000-0x00000000744D0000-memory.dmp

memory/2820-9-0x0000000073F20000-0x00000000744D0000-memory.dmp

memory/2820-10-0x0000000073F20000-0x00000000744D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe

MD5 8cac1595b184f66d7a122af38d5dfe71
SHA1 e0bc0162472edf77a05134e77b540663ac050ab6
SHA256 00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f
SHA512 88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

memory/1132-16-0x000000001BC80000-0x000000001BD26000-memory.dmp

memory/1132-17-0x000000001C250000-0x000000001C71E000-memory.dmp

memory/1132-18-0x000000001C7C0000-0x000000001C85C000-memory.dmp

memory/1132-19-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

memory/1132-20-0x000000001C960000-0x000000001C9AC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:21

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Signatures

njRAT/Bladabindi

trojan njrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 le-pencil.gl.at.ply.gg udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 147.185.221.21:6703 le-pencil.gl.at.ply.gg tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4936-0-0x0000000075022000-0x0000000075023000-memory.dmp

memory/4936-1-0x0000000075020000-0x00000000755D1000-memory.dmp

memory/4936-2-0x0000000075020000-0x00000000755D1000-memory.dmp

memory/4936-3-0x0000000075020000-0x00000000755D1000-memory.dmp

memory/4936-4-0x0000000075022000-0x0000000075023000-memory.dmp

memory/4936-5-0x0000000075020000-0x00000000755D1000-memory.dmp

memory/4936-6-0x0000000075020000-0x00000000755D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

android-x86-arm-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

debian12-mipsel-20240221-en

Max time kernel

0s

Command Line

[/tmp/Payload.exe]

Signatures

N/A

Processes

/tmp/Payload.exe

[/tmp/Payload.exe]

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/Payload.exe]

Signatures

N/A

Processes

/tmp/Payload.exe

[/tmp/Payload.exe]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

android-x86-arm-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-26 10:18

Reported

2024-07-26 10:18

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Command Line

[/tmp/Payload.exe]

Signatures

N/A

Processes

/tmp/Payload.exe

[/tmp/Payload.exe]

Network

N/A

Files

N/A