Analysis Overview
SHA256
3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425
Threat Level: Known bad
The file 0x0036000000015d42-15.dat was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Njrat family
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Drops startup file
Adds Run key to start application
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-27 18:03
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-27 18:03
Reported
2024-08-27 18:06
Platform
win7-20240704-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe | C:\Windows\svhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe | C:\Windows\svhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." | C:\Windows\svhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
| File opened for modification | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2256 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 2256 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 2256 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 2256 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 2368 wrote to memory of 2868 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2368 wrote to memory of 2868 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2368 wrote to memory of 2868 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2368 wrote to memory of 2868 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe
"C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\svhost.exe" "svhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | born-administrative.gl.at.ply.gg | udp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
Files
memory/2256-0-0x0000000073CA1000-0x0000000073CA2000-memory.dmp
memory/2256-1-0x0000000073CA0000-0x000000007424B000-memory.dmp
memory/2256-2-0x0000000073CA0000-0x000000007424B000-memory.dmp
C:\Windows\svhost.exe
| MD5 | 93bf6f4e5c7a5cfa70924d084796388d |
| SHA1 | 92c32c2ae89aefceb51468eca032adce232e0bbb |
| SHA256 | 3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425 |
| SHA512 | eb13a2d5590aa20e426a8d93b27d57f467be9efe496a180d2c6c921597b6ed2b232a0e0c43dd451b377b356c2ffa22083062c67172b9f109d3efa87e31e6de42 |
memory/2256-9-0x0000000073CA0000-0x000000007424B000-memory.dmp
memory/2368-10-0x0000000073CA0000-0x000000007424B000-memory.dmp
memory/2368-11-0x0000000073CA0000-0x000000007424B000-memory.dmp
memory/2368-13-0x0000000073CA0000-0x000000007424B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-27 18:03
Reported
2024-08-27 18:06
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe | C:\Windows\svhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe | C:\Windows\svhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." | C:\Windows\svhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
| File opened for modification | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
| File opened for modification | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 2212 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 2212 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe | C:\Windows\svhost.exe |
| PID 3476 wrote to memory of 660 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3476 wrote to memory of 660 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3476 wrote to memory of 660 | N/A | C:\Windows\svhost.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe
"C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\svhost.exe" "svhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | born-administrative.gl.at.ply.gg | udp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
| US | 147.185.221.20:10324 | born-administrative.gl.at.ply.gg | tcp |
Files
memory/2212-0-0x00000000748C2000-0x00000000748C3000-memory.dmp
memory/2212-1-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/2212-2-0x00000000748C0000-0x0000000074E71000-memory.dmp
C:\Windows\svhost.exe
| MD5 | 93bf6f4e5c7a5cfa70924d084796388d |
| SHA1 | 92c32c2ae89aefceb51468eca032adce232e0bbb |
| SHA256 | 3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425 |
| SHA512 | eb13a2d5590aa20e426a8d93b27d57f467be9efe496a180d2c6c921597b6ed2b232a0e0c43dd451b377b356c2ffa22083062c67172b9f109d3efa87e31e6de42 |
memory/3476-12-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/3476-14-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/2212-13-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/3476-15-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/3476-17-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/3476-18-0x00000000748C0000-0x0000000074E71000-memory.dmp