Analysis Overview
SHA256
edfc57c98a9aafd20c755984ca5c188c1a1e1c11b8efcc335fc5a232b637fd9c
Threat Level: Known bad
The file Server.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:48
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:48
Reported
2024-08-25 09:55
Platform
win7-20240729-en
Max time kernel
359s
Max time network
347s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dce2dfe2889ecf9aea86ff70b4ad53ca = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." | C:\Users\Admin\AppData\Local\Temp\System32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dce2dfe2889ecf9aea86ff70b4ad53ca = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .." | C:\Users\Admin\AppData\Local\Temp\System32.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\System32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\System32.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | land-sustained.gl.at.ply.gg | udp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | land-sustained.gl.at.ply.gg | udp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.22:4356 | land-sustained.gl.at.ply.gg | tcp |
Files
memory/2916-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp
memory/2916-1-0x0000000074FC0000-0x000000007556B000-memory.dmp
memory/2916-2-0x0000000074FC0000-0x000000007556B000-memory.dmp
\Users\Admin\AppData\Local\Temp\System32.exe
| MD5 | 816c212420f832d5d3ce0158b2d5519e |
| SHA1 | 278d08c54b9f7991afb5316932ccb4672f7a2562 |
| SHA256 | edfc57c98a9aafd20c755984ca5c188c1a1e1c11b8efcc335fc5a232b637fd9c |
| SHA512 | f75d754368f4b45a95d829eb3bae081a6a2f06a45077a2dffefd7c667d8075b69b8f5c96600c44455e0f25760423e79db6ae37837caa7cfd5345082463a47855 |
memory/2768-12-0x0000000074FC0000-0x000000007556B000-memory.dmp
memory/2916-11-0x0000000074FC0000-0x000000007556B000-memory.dmp
memory/2768-10-0x0000000074FC0000-0x000000007556B000-memory.dmp
memory/2768-13-0x0000000074FC0000-0x000000007556B000-memory.dmp