Analysis Overview
SHA256
3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649
Threat Level: Known bad
The file 3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-04 07:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-04 07:19
Reported
2024-10-04 07:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
116s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\634.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\634.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe
"C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe"
C:\Users\Admin\AppData\Local\Temp\634.exe
C:\Users\Admin\AppData\Local\Temp\634.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ngm.ddns.net | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| US | 8.8.8.8:53 | ngm.ddns.net | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
Files
memory/548-0-0x000007FEF602E000-0x000007FEF602F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\634.exe
| MD5 | 0d8a343211304f814f65335471e575ee |
| SHA1 | d1ab93fd810e66c3d907c90e9453b32a643745ce |
| SHA256 | a21da1a7600570c13dd498a96168563683f1606ee0ea79e934aafff7d78f4fad |
| SHA512 | 0d0a86604b41a06f090d9e2c51a3c27e4ed33b82379861b612a89f00cda5f135854ce0be62ac029cd44ea2b7bc3f3e4ff18a1cdce65fe97f0da9e0afe61ea7db |
memory/548-6-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp
memory/1052-8-0x0000000074712000-0x0000000074714000-memory.dmp
memory/1052-7-0x0000000002210000-0x0000000002250000-memory.dmp
memory/1052-9-0x0000000074710000-0x0000000074CBB000-memory.dmp
memory/1052-17-0x0000000074710000-0x0000000074CBB000-memory.dmp
memory/548-18-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-04 07:19
Reported
2024-10-04 07:21
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\856.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\856.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe
"C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe"
C:\Users\Admin\AppData\Local\Temp\856.exe
C:\Users\Admin\AppData\Local\Temp\856.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ngm.ddns.net | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| US | 52.111.227.11:443 | tcp | |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| US | 8.8.8.8:53 | ngm.ddns.net | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
| EG | 197.56.124.218:6060 | ngm.ddns.net | tcp |
Files
memory/1476-0-0x00007FFB1CC15000-0x00007FFB1CC16000-memory.dmp
memory/1476-1-0x000000001B470000-0x000000001B516000-memory.dmp
memory/1476-2-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp
memory/1476-4-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\856.exe
| MD5 | 0d8a343211304f814f65335471e575ee |
| SHA1 | d1ab93fd810e66c3d907c90e9453b32a643745ce |
| SHA256 | a21da1a7600570c13dd498a96168563683f1606ee0ea79e934aafff7d78f4fad |
| SHA512 | 0d0a86604b41a06f090d9e2c51a3c27e4ed33b82379861b612a89f00cda5f135854ce0be62ac029cd44ea2b7bc3f3e4ff18a1cdce65fe97f0da9e0afe61ea7db |
memory/3556-8-0x0000000074D32000-0x0000000074D33000-memory.dmp
memory/3556-9-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/3556-10-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/1476-11-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp
memory/1476-18-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp
memory/392-23-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/392-24-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/3556-25-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/392-26-0x0000000074D30000-0x00000000752E1000-memory.dmp