Analysis Overview
SHA256
50dc05f3579090555c00dc10578afbba9e4c5317c088b3dcaa908fddcddbbf81
Threat Level: Known bad
The file Payload.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Njrat family
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 10:21
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 10:21
Reported
2024-07-26 10:24
Platform
win7-20240704-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
Files
memory/2352-0-0x00000000741D1000-0x00000000741D2000-memory.dmp
memory/2352-1-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2352-2-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2352-3-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2352-4-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2352-5-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2352-6-0x00000000741D0000-0x000000007477B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 10:21
Reported
2024-07-26 10:24
Platform
win10-20240404-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 352 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 352 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 352 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.117.19.2.in-addr.arpa | udp |
Files
memory/352-0-0x00000000731D1000-0x00000000731D2000-memory.dmp
memory/352-1-0x00000000731D0000-0x0000000073780000-memory.dmp
memory/352-2-0x00000000731D0000-0x0000000073780000-memory.dmp
memory/352-7-0x00000000731D0000-0x0000000073780000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-26 10:21
Reported
2024-07-26 10:24
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/3372-0-0x0000000074D12000-0x0000000074D13000-memory.dmp
memory/3372-1-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3372-2-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3372-3-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3372-4-0x0000000074D12000-0x0000000074D13000-memory.dmp
memory/3372-5-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3372-6-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3372-7-0x0000000074D10000-0x00000000752C1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-26 10:21
Reported
2024-07-26 10:24
Platform
win11-20240709-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
Files
memory/3136-0-0x0000000074F61000-0x0000000074F62000-memory.dmp
memory/3136-1-0x0000000074F60000-0x0000000075511000-memory.dmp
memory/3136-2-0x0000000074F60000-0x0000000075511000-memory.dmp
memory/3136-3-0x0000000074F60000-0x0000000075511000-memory.dmp
memory/3136-4-0x0000000074F60000-0x0000000075511000-memory.dmp
memory/3136-5-0x0000000074F60000-0x0000000075511000-memory.dmp