Malware Analysis Report

2025-03-15 06:22

Sample ID 241007-k91xdsxerk
Target 2792-29-0x00000000002A0000-0x0000000000B6A000-memory.dmp
SHA256 590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c
Tags
njrat hacked discovery persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c

Threat Level: Known bad

The file 2792-29-0x00000000002A0000-0x0000000000B6A000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery persistence themida trojan

Njrat family

njRAT/Bladabindi

Executes dropped EXE

Checks computer location settings

Drops startup file

Themida packer

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 09:18

Signatures

Njrat family

njrat

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 09:18

Reported

2024-10-07 09:21

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\ProgramData\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\ProgramData\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\ProgramData\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Payload.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe C:\ProgramData\Payload.exe
PID 8 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe C:\ProgramData\Payload.exe
PID 8 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe C:\ProgramData\Payload.exe
PID 8 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe C:\Windows\SysWOW64\attrib.exe
PID 8 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe C:\Windows\SysWOW64\attrib.exe
PID 8 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe C:\Windows\SysWOW64\attrib.exe
PID 2064 wrote to memory of 4608 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2064 wrote to memory of 4608 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2064 wrote to memory of 4608 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2064 wrote to memory of 5032 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2064 wrote to memory of 5032 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2064 wrote to memory of 5032 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe"

C:\ProgramData\Payload.exe

"C:\ProgramData\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\ProgramData\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 still-obviously.gl.at.ply.gg udp
US 147.185.221.22:46857 still-obviously.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.22:46857 still-obviously.gl.at.ply.gg tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 147.185.221.22:46857 still-obviously.gl.at.ply.gg tcp
US 147.185.221.22:46857 still-obviously.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 147.185.221.22:46857 still-obviously.gl.at.ply.gg tcp
US 147.185.221.22:46857 still-obviously.gl.at.ply.gg tcp

Files

memory/8-0-0x000000007443E000-0x000000007443F000-memory.dmp

memory/8-1-0x0000000000660000-0x0000000000F2A000-memory.dmp

memory/8-2-0x0000000005950000-0x00000000059EC000-memory.dmp

memory/8-5-0x00000000067B0000-0x0000000006D54000-memory.dmp

C:\ProgramData\Payload.exe

MD5 dc12c3ed6545883e412fd53aee9f9bc8
SHA1 745727e55ea35ef91fdae244f1d09f146309090c
SHA256 590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c
SHA512 eef34bca2e27e0e1ea61c12d82a85407a852b7ef236c4d6a91ec2e85a9be4a85219363759dbb2db23744c7772b9ccd0209977621a681f1345fa5754bfe30be4c

memory/8-11-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2064-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 9f8aa8d72184c88280eba793825f8467
SHA1 bd4c4fd7959b7d69b847d2757ce349f6b0b79c6b
SHA256 c07f1fb16ddeb36694a50e400e6a8d30480fb93755cc9befc6d465fd2e961590
SHA512 acabb4a6667dea6b76a2c5556a31c844b8781f4cf51cb0a6cc46325912c0ec9cbb7b5be25724147156c093c17fb9124bdb92b9e1ec5865a749a529b3f3ac35c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 ede91f3d33a9a017174c0031e96007f0
SHA1 c52360c9fff6e5465022b934c3a74b3b211a0be6
SHA256 334ed85785265b6fbefd757b7db0b3751db8867bd37e9f16bf538e69ed6d685a
SHA512 2c52dd4127207527611419baadeea7ce290243575121c60c9670ee77c72a93dc1e0aa8c487c3bb2ee2ab1230f96821ecff799543849646ad3eded94afd632627

memory/2064-22-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2064-23-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2064-25-0x0000000006400000-0x0000000006492000-memory.dmp

memory/2064-26-0x00000000063F0000-0x00000000063FA000-memory.dmp

memory/2064-27-0x0000000074430000-0x0000000074BE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 09:18

Reported

2024-10-07 09:18

Platform

win7-20240903-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A