Malware Analysis Report

2025-01-22 13:46

Sample ID 240827-wncs8avgmq
Target 0x0036000000015d42-15.dat
SHA256 3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425
Tags
hacked njrat discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425

Threat Level: Known bad

The file 0x0036000000015d42-15.dat was found to be: Known bad.

Malicious Activity Summary

hacked njrat discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Njrat family

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 18:03

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 18:03

Reported

2024-08-27 18:06

Platform

win7-20240704-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe C:\Windows\svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe C:\Windows\svhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A
File opened for modification C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe

"C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\svhost.exe" "svhost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 born-administrative.gl.at.ply.gg udp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp

Files

memory/2256-0-0x0000000073CA1000-0x0000000073CA2000-memory.dmp

memory/2256-1-0x0000000073CA0000-0x000000007424B000-memory.dmp

memory/2256-2-0x0000000073CA0000-0x000000007424B000-memory.dmp

C:\Windows\svhost.exe

MD5 93bf6f4e5c7a5cfa70924d084796388d
SHA1 92c32c2ae89aefceb51468eca032adce232e0bbb
SHA256 3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425
SHA512 eb13a2d5590aa20e426a8d93b27d57f467be9efe496a180d2c6c921597b6ed2b232a0e0c43dd451b377b356c2ffa22083062c67172b9f109d3efa87e31e6de42

memory/2256-9-0x0000000073CA0000-0x000000007424B000-memory.dmp

memory/2368-10-0x0000000073CA0000-0x000000007424B000-memory.dmp

memory/2368-11-0x0000000073CA0000-0x000000007424B000-memory.dmp

memory/2368-13-0x0000000073CA0000-0x000000007424B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 18:03

Reported

2024-08-27 18:06

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe C:\Windows\svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6aa749155b3480287d64e2d4a50cdbf.exe C:\Windows\svhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c6aa749155b3480287d64e2d4a50cdbf = "\"C:\\Windows\\svhost.exe\" .." C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A
File opened for modification C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A
File opened for modification C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A
Token: 33 N/A C:\Windows\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe C:\Windows\svhost.exe
PID 2212 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe C:\Windows\svhost.exe
PID 2212 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe C:\Windows\svhost.exe
PID 3476 wrote to memory of 660 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\netsh.exe
PID 3476 wrote to memory of 660 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\netsh.exe
PID 3476 wrote to memory of 660 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe

"C:\Users\Admin\AppData\Local\Temp\0x0036000000015d42-15.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\svhost.exe" "svhost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 born-administrative.gl.at.ply.gg udp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp
US 147.185.221.20:10324 born-administrative.gl.at.ply.gg tcp

Files

memory/2212-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

memory/2212-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/2212-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

C:\Windows\svhost.exe

MD5 93bf6f4e5c7a5cfa70924d084796388d
SHA1 92c32c2ae89aefceb51468eca032adce232e0bbb
SHA256 3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425
SHA512 eb13a2d5590aa20e426a8d93b27d57f467be9efe496a180d2c6c921597b6ed2b232a0e0c43dd451b377b356c2ffa22083062c67172b9f109d3efa87e31e6de42

memory/3476-12-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/3476-14-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/2212-13-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/3476-15-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/3476-17-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/3476-18-0x00000000748C0000-0x0000000074E71000-memory.dmp