Analysis Overview
SHA256
20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8
Threat Level: Known bad
The file 20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8N was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-27 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-27 19:45
Reported
2024-09-27 19:47
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gggdggg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gggdggg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gggdggg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8N.exe
"C:\Users\Admin\AppData\Local\Temp\20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8N.exe"
C:\Users\Admin\AppData\Local\Temp\gggdggg.exe
"C:\Users\Admin\AppData\Local\Temp\gggdggg.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/1744-0-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp
memory/1744-1-0x0000000001F70000-0x0000000001FA4000-memory.dmp
memory/1744-34-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/1744-36-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/1744-33-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-31-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-29-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-27-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-25-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-23-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-21-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-19-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-17-0x0000000001F70000-0x0000000001F9F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gggdggg.exe
| MD5 | b0b85bfca63883d245c4834357cec7ae |
| SHA1 | 6bf82cd93a32ca03eafeef76b735bae1ea3d05f2 |
| SHA256 | 792b0dd50370efbdaadc2e1b9c71ed81c4219982357cbfa559a4494797b7585c |
| SHA512 | 7b44fce09e9325c34ab3c3d122fdc82a10a5931df3305e1e44bb005da738aa872f88f16d7df340cb777efc24bf265f0c6e1a4a72a8ee729b9f2bf6792e9bd75c |
memory/1744-15-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-13-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-11-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-9-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-7-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-5-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-3-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/1744-2-0x0000000001F70000-0x0000000001F9F000-memory.dmp
memory/2892-42-0x0000000074A31000-0x0000000074A32000-memory.dmp
memory/1744-43-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2892-44-0x0000000074A30000-0x0000000074FDB000-memory.dmp
memory/2892-45-0x0000000074A30000-0x0000000074FDB000-memory.dmp
memory/2892-53-0x0000000074A30000-0x0000000074FDB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-27 19:45
Reported
2024-09-27 19:47
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gggdggg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gggdggg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gggdggg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8N.exe
"C:\Users\Admin\AppData\Local\Temp\20cef431aae4d318b4ceff66ffc674c078c2dc63e5788b15c26d5ce4be388dc8N.exe"
C:\Users\Admin\AppData\Local\Temp\gggdggg.exe
"C:\Users\Admin\AppData\Local\Temp\gggdggg.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/1928-0-0x00007FF810FE5000-0x00007FF810FE6000-memory.dmp
memory/1928-1-0x00007FF810D30000-0x00007FF8116D1000-memory.dmp
memory/1928-2-0x000000001BC90000-0x000000001C15E000-memory.dmp
memory/1928-3-0x000000001C160000-0x000000001C194000-memory.dmp
memory/1928-7-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-33-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-31-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-29-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-27-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-25-0x000000001C160000-0x000000001C18F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gggdggg.exe
| MD5 | b0b85bfca63883d245c4834357cec7ae |
| SHA1 | 6bf82cd93a32ca03eafeef76b735bae1ea3d05f2 |
| SHA256 | 792b0dd50370efbdaadc2e1b9c71ed81c4219982357cbfa559a4494797b7585c |
| SHA512 | 7b44fce09e9325c34ab3c3d122fdc82a10a5931df3305e1e44bb005da738aa872f88f16d7df340cb777efc24bf265f0c6e1a4a72a8ee729b9f2bf6792e9bd75c |
memory/1928-45-0x00007FF810D30000-0x00007FF8116D1000-memory.dmp
memory/1928-21-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-46-0x00007FF810D30000-0x00007FF8116D1000-memory.dmp
memory/1928-19-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-17-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-15-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-13-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-11-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-9-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-5-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/3528-47-0x0000000074F72000-0x0000000074F73000-memory.dmp
memory/1928-4-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-35-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/1928-23-0x000000001C160000-0x000000001C18F000-memory.dmp
memory/3528-48-0x0000000074F70000-0x0000000075521000-memory.dmp
memory/3528-49-0x0000000074F70000-0x0000000075521000-memory.dmp
memory/740-59-0x0000000074F70000-0x0000000075521000-memory.dmp
memory/3528-60-0x0000000074F70000-0x0000000075521000-memory.dmp
memory/740-61-0x0000000074F70000-0x0000000075521000-memory.dmp
memory/740-62-0x0000000074F70000-0x0000000075521000-memory.dmp
memory/740-63-0x0000000074F70000-0x0000000075521000-memory.dmp