Analysis Overview
SHA256
590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c
Threat Level: Known bad
The file 2792-29-0x00000000002A0000-0x0000000000B6A000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Executes dropped EXE
Checks computer location settings
Drops startup file
Themida packer
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 09:18
Signatures
Njrat family
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 09:18
Reported
2024-10-07 09:21
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\ProgramData\Payload.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\ProgramData\Payload.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\ProgramData\Payload.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Payload.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Payload.exe" | C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\ProgramData\Payload.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\ProgramData\Payload.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\ProgramData\Payload.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" | C:\ProgramData\Payload.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Payload.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe"
C:\ProgramData\Payload.exe
"C:\ProgramData\Payload.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\ProgramData\Payload.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | still-obviously.gl.at.ply.gg | udp |
| US | 147.185.221.22:46857 | still-obviously.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 147.185.221.22:46857 | still-obviously.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 147.185.221.22:46857 | still-obviously.gl.at.ply.gg | tcp |
| US | 147.185.221.22:46857 | still-obviously.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.22:46857 | still-obviously.gl.at.ply.gg | tcp |
| US | 147.185.221.22:46857 | still-obviously.gl.at.ply.gg | tcp |
Files
memory/8-0-0x000000007443E000-0x000000007443F000-memory.dmp
memory/8-1-0x0000000000660000-0x0000000000F2A000-memory.dmp
memory/8-2-0x0000000005950000-0x00000000059EC000-memory.dmp
memory/8-5-0x00000000067B0000-0x0000000006D54000-memory.dmp
C:\ProgramData\Payload.exe
| MD5 | dc12c3ed6545883e412fd53aee9f9bc8 |
| SHA1 | 745727e55ea35ef91fdae244f1d09f146309090c |
| SHA256 | 590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c |
| SHA512 | eef34bca2e27e0e1ea61c12d82a85407a852b7ef236c4d6a91ec2e85a9be4a85219363759dbb2db23744c7772b9ccd0209977621a681f1345fa5754bfe30be4c |
memory/8-11-0x000000007443E000-0x000000007443F000-memory.dmp
memory/2064-16-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
| MD5 | 9f8aa8d72184c88280eba793825f8467 |
| SHA1 | bd4c4fd7959b7d69b847d2757ce349f6b0b79c6b |
| SHA256 | c07f1fb16ddeb36694a50e400e6a8d30480fb93755cc9befc6d465fd2e961590 |
| SHA512 | acabb4a6667dea6b76a2c5556a31c844b8781f4cf51cb0a6cc46325912c0ec9cbb7b5be25724147156c093c17fb9124bdb92b9e1ec5865a749a529b3f3ac35c3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
| MD5 | ede91f3d33a9a017174c0031e96007f0 |
| SHA1 | c52360c9fff6e5465022b934c3a74b3b211a0be6 |
| SHA256 | 334ed85785265b6fbefd757b7db0b3751db8867bd37e9f16bf538e69ed6d685a |
| SHA512 | 2c52dd4127207527611419baadeea7ce290243575121c60c9670ee77c72a93dc1e0aa8c487c3bb2ee2ab1230f96821ecff799543849646ad3eded94afd632627 |
memory/2064-22-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/2064-23-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/2064-25-0x0000000006400000-0x0000000006492000-memory.dmp
memory/2064-26-0x00000000063F0000-0x00000000063FA000-memory.dmp
memory/2064-27-0x0000000074430000-0x0000000074BE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 09:18
Reported
2024-10-07 09:18
Platform
win7-20240903-en
Max time kernel
0s