Analysis Overview
SHA256
e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855
Threat Level: Known bad
The file e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-27 11:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-27 11:55
Reported
2024-09-27 11:57
Platform
win7-20240729-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2652 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2652 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2192 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\system32\netsh.exe |
| PID 2192 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\system32\netsh.exe |
| PID 2192 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\system32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe
"C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/2652-0-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp
memory/2652-1-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2652-2-0x0000000000420000-0x000000000042C000-memory.dmp
memory/2652-3-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | c74de5c9d74cc46305a5b548b70e94d0 |
| SHA1 | ffe5388c48ec856a62c9269e7bb51cfd5c352317 |
| SHA256 | e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855 |
| SHA512 | 94ca7cee4ebbf3a4334925c775f843c38ec4f3d5eb1c1d5d75aa941639d93c5851ac080edd5227650824d82c98cb8a054efc09f135d4b3b1b0fc98765c00cba0 |
memory/2192-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2652-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2192-11-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2192-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2192-13-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-27 11:55
Reported
2024-09-27 11:57
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
108s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 812 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 812 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 4484 wrote to memory of 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SYSTEM32\netsh.exe |
| PID 4484 wrote to memory of 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SYSTEM32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe
"C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/812-0-0x00007FFE70CD5000-0x00007FFE70CD6000-memory.dmp
memory/812-1-0x000000001B740000-0x000000001B7E6000-memory.dmp
memory/812-2-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp
memory/812-3-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp
memory/812-4-0x000000001B6B0000-0x000000001B6BC000-memory.dmp
memory/812-5-0x000000001BCC0000-0x000000001C18E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | c74de5c9d74cc46305a5b548b70e94d0 |
| SHA1 | ffe5388c48ec856a62c9269e7bb51cfd5c352317 |
| SHA256 | e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855 |
| SHA512 | 94ca7cee4ebbf3a4334925c775f843c38ec4f3d5eb1c1d5d75aa941639d93c5851ac080edd5227650824d82c98cb8a054efc09f135d4b3b1b0fc98765c00cba0 |
memory/4484-18-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp
memory/812-19-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp
memory/4484-20-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp
memory/4484-21-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp
memory/4484-22-0x000000001C8F0000-0x000000001C98C000-memory.dmp
memory/4484-23-0x00000000017F0000-0x00000000017F8000-memory.dmp
memory/4484-24-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp