Analysis Overview
SHA256
bf2de56ca9ce6fc0b83d911ea86356d3338823d33630556de10878aeb3de0430
Threat Level: Known bad
The file 178bd89f9113e4ca4f35458e9c779116.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 10:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 10:06
Reported
2024-08-18 10:08
Platform
win7-20240708-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\178bd89f9113e4ca4f35458e9c779116.exe" | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2160 set thread context of 2748 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe
"C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
Files
memory/2628-0-0x0000000074EF1000-0x0000000074EF2000-memory.dmp
memory/2628-1-0x0000000074EF0000-0x000000007549B000-memory.dmp
memory/2628-9-0x0000000074EF0000-0x000000007549B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabDC2E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDC60.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cf58dac02f173f3b68fba5e54572fbc |
| SHA1 | 4f1f18d519b916dcd32aa1aa3a4b9abbff10e6f6 |
| SHA256 | 2a83eb4fc0050b22ecb830188d96876e03a37c775103146272b062f114781d6a |
| SHA512 | 5b021d2a780445c4c787e9985dfae0db7baab69b170186941640e5d3ad2f20f18b6baebac42995438f03232ee65f78972c6563a4841e1420fe182f0a03b6590c |
memory/2628-165-0x0000000074EF0000-0x000000007549B000-memory.dmp
memory/2628-167-0x0000000074EF0000-0x000000007549B000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | eeff4123459c01d0ece1bbb2f87bdd9f |
| SHA1 | 54df20b41bbd1073d59eadee7969ef6867087026 |
| SHA256 | 25749b7f80a2ea01415cf0ba49d9855f3fe6f8d7fab4530eb84b58581c07ab49 |
| SHA512 | d7e9db947caca6805cb6571dfae694acfd8afd5624a540e39a6d91d2be334f3ec73610977fe607a10ffec5b40c37c462ac6e9538f1962b9f0a1ee2b313acbea1 |
memory/2628-178-0x0000000074EF0000-0x000000007549B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4db0ab61d8ee2ba96aa0fc59c5eddd2 |
| SHA1 | 34586dbe6c90a4ffd670b7a40a9550305d0ab661 |
| SHA256 | c4f0a6b459eb97ae73fbd5784141bd696364a4a127199bec33f776f2a2a694af |
| SHA512 | 3e0780f202992d2904aa32a47a68e3892f14a100451400d30e1d8c98f4918eaa73bc6f1b43b195df809ba1222cf280ca6c7f0d3d96cb2b1f41a367addb6ed584 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
| MD5 | e7122c733f9e37bba0ca4c985ce11d6d |
| SHA1 | d661aa5b31ff7ef2df9bc4095279058c36499af2 |
| SHA256 | acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a |
| SHA512 | 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
| MD5 | bc06b9f863d0f052d3b1ba9b0ca150ca |
| SHA1 | a8d702229e3b52145eec97c844a8a7bd91d34ace |
| SHA256 | 4e81f699a44155d1ff65fad375889de7cd3cde28e2dd2654e094b00b69df8b1f |
| SHA512 | e6a03c357d2850e8a5b2a482f67d1e1d66192ff5e4b1c1184de9abf230c47b6f47d489be429cdfb300bf3950fd8cfc2938a542d2c33e78740116c9f9fe36735f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d89973469a029e4a025a8cd132be1f67 |
| SHA1 | 79a9bdf071f22e4bf27415b522e4bfdc7efd7aaa |
| SHA256 | a95f084f6107c6051b004b587df8f6f11f7b00d546696f6867acde6653c0b11d |
| SHA512 | 5061c94f8f1e9b32116f6e94c0a081b800a2dd0b5d475a5c97f5c5342785feb7bea710b9ef70ae61b6caa1e94e05c623b0c6a462fe6b0f581cb885e4c69c947a |
memory/2748-347-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2748-346-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2748-344-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 10:06
Reported
2024-08-18 10:08
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
146s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\178bd89f9113e4ca4f35458e9c779116.exe" | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 916 set thread context of 4708 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe
"C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
| MA | 160.177.67.14:10000 | doddyfire.linkpc.net | tcp |
Files
memory/5076-0-0x0000000075362000-0x0000000075363000-memory.dmp
memory/5076-1-0x0000000075360000-0x0000000075911000-memory.dmp
memory/5076-2-0x0000000075360000-0x0000000075911000-memory.dmp
memory/5076-6-0x0000000075362000-0x0000000075363000-memory.dmp
memory/5076-7-0x0000000075360000-0x0000000075911000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | a215f112cf071f707ac8fe39530c2223 |
| SHA1 | 3fb4f0bf348121e3c349d0ac56429d37a70b80f2 |
| SHA256 | dbbd215d81e90bca0287f6dba204ef11efd24e37e304cc256b50b552e443e0d4 |
| SHA512 | 5b2da5b96907e87c80d666354c94ceeca4bf9e29d66779d489a0747a01ea94cff284cf5991dedb547ccca044f066af1c0c91a26a1c9772da71927ec52052685d |
memory/916-20-0x0000000075360000-0x0000000075911000-memory.dmp
memory/5076-19-0x0000000075360000-0x0000000075911000-memory.dmp
memory/916-21-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4708-22-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4708-26-0x0000000075360000-0x0000000075911000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/916-28-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4708-27-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4708-29-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4708-30-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4708-31-0x0000000075360000-0x0000000075911000-memory.dmp