Analysis Overview
SHA256
e16fc240955e3a55f8ecf1ffe52fb0d40a6b6189d44aaeaeaf0de56c2c9cccaa
Threat Level: Known bad
The file b08b34c4124dbe78ea4c620dc5fc37e0N.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 13:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 13:25
Reported
2024-08-06 13:27
Platform
win7-20240705-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b08b34c4124dbe78ea4c620dc5fc37e0N.exe" | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2004 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe
"C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.71:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
Files
memory/3008-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp
memory/3008-1-0x0000000074CC0000-0x000000007526B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab205E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2061.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50ba130d548f201b139953a9e1a018c2 |
| SHA1 | 165b27183e1720bbfbf6a6599c05e8a328384095 |
| SHA256 | 178e74fe1afcdc00f42013dfd5cf01ccd11e62b5f27ae600ff93e4323ad9943f |
| SHA512 | b498a5dbc0d918a8bc2593fc7be8dbb94794c2e0eb663fb94fe15e83542b1dde55578afc3145f2380386804e2c3dbe509f0a621b16611bb8ca0987a2ae0a70d2 |
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 89ace82bef742254f7a9a998b1c05a5f |
| SHA1 | b18b70084e08150cfc541728e8f4c071e7b12197 |
| SHA256 | f2b66f1247059bf004abdb6af032b6f4f08b34d1818a4c684f864ffae9369d70 |
| SHA512 | 5dab0b279593930ed1dedff751881b5bd0b4f6e4cb856ba3221b3e8c8808548daaa7091656b3b170d2ccbd474af394778cb15bf7d76993dc322b30062eaeec1c |
memory/3008-179-0x0000000074CC0000-0x000000007526B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 13eb4a2a6d7e9393cbc47bd32f5b1fa4 |
| SHA1 | fb40dc9dae852a77117ba7d7478ccb484199e973 |
| SHA256 | 9bf117fc39df2ad052a0c77c1d8bf3abbb8a4a2a6a7e101b7b9ccd9dddca4c76 |
| SHA512 | 0332ada02cf22f99dd42bbf019af58c8998d5e320594c9698b92c6a4abbb120e8b6fae9919ec096e444c58ef423ef7f3d33867c28a98be8dad63052fb0d85eba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
| MD5 | 71f3e53d5952a95588748885879492fb |
| SHA1 | 849cd9db3929bc745ee20fe36a897b8cc6e240bb |
| SHA256 | e7ef8b92c9bcf1ed075ece967752b4ad75f633c20133833f8d18c9fd48d1b24f |
| SHA512 | 3aed4bed05312588a4a2ac1796287032a1fecb113b33f7c3ae0e605eccd3fb2095fb5703521c4556cca1f75073cd3d2fb62050105f3688ac461e22fa93b796f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
| MD5 | e7122c733f9e37bba0ca4c985ce11d6d |
| SHA1 | d661aa5b31ff7ef2df9bc4095279058c36499af2 |
| SHA256 | acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a |
| SHA512 | 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3107f2217abf8bce8a2f688f6b0a9c9a |
| SHA1 | 8191837802bfb36d65bf308f68cda97c3e8724ea |
| SHA256 | 46e257504c0d39aa3c725b238dcbb4ff4cbb1a7aee0a07ac7e9fea0165f24505 |
| SHA512 | ec5f37199fb534eb63b87edc45229a8b700e637a7f7ec47925249c6adc3cc2e2dbac447c821a1dc18ad0dff7fd0e9fa24f66fb31d94b3a0f70b24d80f74391b1 |
memory/2704-345-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2704-347-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2704-348-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 13:25
Reported
2024-08-06 13:27
Platform
win10v2004-20240802-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b08b34c4124dbe78ea4c620dc5fc37e0N.exe" | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1796 set thread context of 5040 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe
"C:\Users\Admin\AppData\Local\Temp\b08b34c4124dbe78ea4c620dc5fc37e0N.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 152
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
Files
memory/1788-0-0x0000000074F22000-0x0000000074F23000-memory.dmp
memory/1788-1-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/1788-2-0x0000000074F20000-0x00000000754D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 112f44121995047b4fd65afa3c8bfae0 |
| SHA1 | ab7c2b8da805d996fa8ee49083c42299b3ddcbef |
| SHA256 | b4419aa34fbc8a94cf4311c7243278356c9d821bb94f79376e0a03b386896d10 |
| SHA512 | 88e69d7ebd6dbe22cb880d8b844422d935b55e4498e2f9520c54832b9599dbd5363631ddde1f958b9e65a0e90e8f270435b43b6f4eb03b832433f8310a68239e |
memory/1788-17-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/1796-18-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/1796-20-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/1796-19-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/5040-21-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1796-24-0x0000000074F20000-0x00000000754D1000-memory.dmp