Analysis Overview
SHA256
2e2ff15dba6cd1020b58b08bcdcd1a0cd1a12661baf98bba03f4becc9b8d7a6b
Threat Level: Known bad
The file neverlose injector.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-23 12:19
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-23 12:19
Reported
2024-08-23 12:21
Platform
win11-20240802-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe
"C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.122:443 | tcp | |
| GB | 92.123.142.179:443 | r.bing.com | tcp |
| GB | 92.123.142.179:443 | r.bing.com | tcp |
| GB | 92.123.142.179:443 | r.bing.com | tcp |
| GB | 92.123.142.179:443 | r.bing.com | tcp |
| GB | 92.123.142.179:443 | r.bing.com | tcp |
| GB | 92.123.142.179:443 | r.bing.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 20.42.73.26:443 | browser.pipe.aria.microsoft.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 20.140.151.75:443 | fp-afd.azureedge.us | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 13.107.253.64:443 | fp-afd.azureedge.net | tcp |
| US | 152.199.19.161:443 | fp-vs-nocache.azureedge.net | tcp |
| US | 8.8.8.8:53 | 64.253.107.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 52.111.227.13:443 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/2328-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmp
memory/2328-1-0x0000000000920000-0x0000000000932000-memory.dmp
memory/2328-2-0x00000000053C0000-0x000000000545C000-memory.dmp
memory/2328-3-0x0000000005CF0000-0x0000000006296000-memory.dmp
memory/2328-4-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2328-5-0x00000000057E0000-0x0000000005872000-memory.dmp
memory/2328-6-0x00000000054A0000-0x00000000054AA000-memory.dmp
memory/2328-7-0x0000000074FBE000-0x0000000074FBF000-memory.dmp
memory/2328-8-0x0000000074FB0000-0x0000000075761000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 3e1f5eeae74491d8850ef2c8b03a9a3b |
| SHA1 | 0c02c9c2550107de6dd0eb740ac5668f292883c0 |
| SHA256 | 66756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30 |
| SHA512 | 7637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 26d98b946f17c556ed48590e1e6afa3a |
| SHA1 | e8f42f8fc64a498a5549da2a7e687f65346ebf84 |
| SHA256 | b2b3884625d0b3bc36888649d7c3a9187a29aa782fa68a3dd5ddf82f19ed9f91 |
| SHA512 | f09c4a67232efa5cf2a66bae57a2222b89fb45700da028a37598fa6b3cb760a8a84609a4ac91d4b314bc5e32f5f5d198d048ffdb9804b38d93e741a87285884e |