Overview

overview

10

Static

static

10

pisun.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    900s
  • max time network
    449s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/03/2025, 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pisun.exe

  • Size

    54KB

  • MD5

    45140e967970cd63521eaa76dc4db7d7

  • SHA1

    aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a

  • SHA256

    3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8

  • SHA512

    d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129

  • SSDEEP

    768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg

Score
10/10
njratdiscoverytrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 54 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pisun.exe
    "C:\Users\Admin\AppData\Local\Temp\pisun.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5784
    • C:\Users\Admin\AppData\Local\Temp\44b2446bd37b4ed1805ec2355c21e33c.exe
      "C:\Users\Admin\AppData\Local\Temp\44b2446bd37b4ed1805ec2355c21e33c.exe"
      2⤵
      • Executes dropped EXE
      PID:5176
    • C:\Users\Admin\AppData\Local\Temp\74aec53a5c1e412eb2c8c608bb032647.exe
      "C:\Users\Admin\AppData\Local\Temp\74aec53a5c1e412eb2c8c608bb032647.exe"
      2⤵
      • Executes dropped EXE
      PID:1960
    • C:\Users\Admin\AppData\Local\Temp\c7cc6928c2c74fb7a7f51cc1d316ca3c.exe
      "C:\Users\Admin\AppData\Local\Temp\c7cc6928c2c74fb7a7f51cc1d316ca3c.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1892
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2316
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2680
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:4672
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:5492
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1244
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:6124
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:5500
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:5924
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:5396
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2588
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa39cd055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3596
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:3568
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3592
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /R /T
        1⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        24KB

        MD5

        c361c7b4f6c23454a1518c2aa44b93d4

        SHA1

        4e55fcc4b04bb46de1490c7e2785765af1383597

        SHA256

        417b9f63f610a21b930a8eb21c072d1f9829b4ef24073ecbfe429d5b51392967

        SHA512

        0e5d5336219cfd868527951558e3b4ab3cc33fe2fea6cb64bafa7170423739a3524d74edfed4c3895a1886403dbcdb4388b052db91637548680215bd8b54e787

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\44b2446bd37b4ed1805ec2355c21e33c.exe
        Filesize

        3.2MB

        MD5

        e1304c8c7de82cec303f2e79f17c7785

        SHA1

        b4564a214dfe02a46db65db6612d7c3bd0973177

        SHA256

        9ca2cc9b71cfa8106d87d8f37b8c87a9da9df9f729b85ebe6307cd54f05a29cf

        SHA512

        6f5bc47f2bfdbcf64b06c033c37eda816b5b940ed1e7e409108c18b47b5a532bdc3d2787dee77fee2a2631ba1a74b5e64c6e7ab5d5451227eb33976f3187cc94

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\74aec53a5c1e412eb2c8c608bb032647.exe
        Filesize

        10.0MB

        MD5

        be9b8e7c29977c01f3122f1e5082f45d

        SHA1

        c53a253ac33ab33e94f3ad5e5200645b6391b779

        SHA256

        cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae

        SHA512

        91514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c7cc6928c2c74fb7a7f51cc1d316ca3c.exe
        Filesize

        135KB

        MD5

        c971c68b4e58ccc82802b21ae8488bc7

        SHA1

        7305f3a0a0a0d489e0bcf664353289f61556de77

        SHA256

        cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce

        SHA512

        ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7

        Download Submit

      • C:\Windows\System32\perfc007.dat
        Filesize

        148KB

        MD5

        3ae39e66b4a41bbdaf59d62d3f592f76

        SHA1

        47993134492bf151f1dfe36795689b7c30814ec6

        SHA256

        c13d3b95d1df175b9877f69e6f1f4378b83fae88fb2dd71e7dc28767079c21f2

        SHA512

        471c3518d238116908c73f7fc1b02e3b8799282d3cea5e805f47d9f5c19b193d21a14a49a6c989ef68c13c0afc30aed2cb39ccb29ab4a35c1d6e37f3993181a0

        Download Submit

      • C:\Windows\System32\perfc00A.dat
        Filesize

        157KB

        MD5

        d15708b68af7948dac89d1035d92d9e9

        SHA1

        f95e11008025f701318a6d66654ad829b7f620ac

        SHA256

        f6fdd2ff858f79e3576a0727dff4399308f3dcbf67ef322550283bf54a7a9aac

        SHA512

        e80e7730e29c0307c0159eb741ccaee60d6e5b89827bf760fd019a8d3ef598440ac8b4aa2a4900828301367316d99335e0a03b32f8189dccbab0f04d00512ade

        Download Submit

      • C:\Windows\System32\perfc00C.dat
        Filesize

        152KB

        MD5

        ca43387f26eb3f9cbc5b4c971aa22010

        SHA1

        f7a8584617921236023203b5ab2c48ab691a42cc

        SHA256

        331d5d7e11783203130f3d8ecb4c0af222780d7ab595e30969df4f1dcfaf4e9f

        SHA512

        abfa2d0113553e7b4b03c7059876c2c13757c3a325514ccf4f3ed5aa17f0e865bca26650e9db1b652f496a98e5c03c93b653a703ee90e9f3c0fb19e26fb1f4a4

        Download Submit

      • C:\Windows\System32\perfc010.dat
        Filesize

        146KB

        MD5

        fecf3e898a12c71c13563d3897fba5ca

        SHA1

        fbeda8d2218ea56ec3543f0fba55b30841ec4876

        SHA256

        eb709a38f1848f7b21f9a31cfd11d13122c96dbb8eeb67f2d01936946b93523b

        SHA512

        d41baa848b19409f50931a2f1df49f1e301a3f91d48617d458253b416404636b4fe5fc6e58bd79c39ec68a5c9b5d91c50f4b092c9011b4279b07caa40c1fef36

        Download Submit

      • C:\Windows\System32\perfc011.dat
        Filesize

        126KB

        MD5

        7aefcd51c55f1dd97bafb0a62ab667d3

        SHA1

        abdcf3281ccebc4427121dbfc539e626af258865

        SHA256

        93efbfa90ddb00294a5a2199f4a7647e70231275194aa9e233f3bf6c717988d9

        SHA512

        c14d20af10b137d3eb76b147b1ab2dfdbe8a2a0232ed8e73b0d3574af21c1c9ffb385c4dc7c5ce5de7c5e11176944495cdd76146bec8691ba2ae0170f3ffe7b4

        Download Submit

      • C:\Windows\System32\perfh007.dat
        Filesize

        724KB

        MD5

        d191eb918bfe8eecc3c3860101777950

        SHA1

        d7d671f69199618be49e1ec25450d1b84e23e9bc

        SHA256

        340e05360e06227a9acf6a2a70eb1879b4a165f3ed996063b8b3b7deea36956b

        SHA512

        c118565377c97490541f6df4772d5d0b9512956019bf3dc9d4d13b1f9a4d29055c5da6c85d73db900825945326ba7f016a7ff611d48bf5f6f1e3822c3b3fab80

        Download Submit

      • C:\Windows\System32\perfh009.dat
        Filesize

        699KB

        MD5

        47d6084d814dd0528f2d0ce0b0d6cf36

        SHA1

        f31ceb806b1ac1b6dbf7130a315491b3e9755bd5

        SHA256

        2e4b510ab605c8487fd2ee9e0cafa76f77f4ab99d34f3bfc43a180aafce9cc4e

        SHA512

        be7ce364dbbc859517bf255b08370ce574e505fbd3f9e9c4787d2e14d807e993da8b01ba48040e6c9c65bfba6567f9692153ab197e1593201eda04dbc3d26dc6

        Download Submit

      • C:\Windows\System32\perfh00A.dat
        Filesize

        783KB

        MD5

        a108af4023f71c61a65231e050739e84

        SHA1

        2af6091236d6f6b85e9fd6fcd88538e3dda94fe1

        SHA256

        6e22e3b24881e6eaec400b68e5e34a73854c6c8fdc2d7f9727728f3c8731de80

        SHA512

        c9567806c54298e709a99f6f8f95513bd5f68763e857e6abf961f51afd17d674cc68d02fbd5100fdc210cb4eba14eb67d35e0046175b6f45b9327b394607c4e6

        Download Submit

      • C:\Windows\System32\perfh00C.dat
        Filesize

        785KB

        MD5

        0848e4d645dbe3ee6f2ebdfc321b360f

        SHA1

        612a3d37faa10ff9b855516e5429d329b46bda94

        SHA256

        f152419cf44256809c3a226091ee4fd455d35b13700b5ccad32ed168e3f46d45

        SHA512

        dec39e5a3f734f9982fba7e357489b2ae6ed7cd7c4d37cff9bb02c5f598543efe482babdc61a284e1602d2698f28204c41c7fd85b429e2aca11b69b55c22b0c2

        Download Submit

      • C:\Windows\System32\perfh010.dat
        Filesize

        772KB

        MD5

        8501d993ee2bb21c86e8b36a574372e8

        SHA1

        4b910ce23d2524a0ab6fede464f46e541081df09

        SHA256

        40fcdeba24baf7358aaa286075b795176388ae6904d94c399c0e842c1c70d802

        SHA512

        fe8e29a9404710c7530b43c395bd67d19f03ba250c001327413b09b471f00294120c61093778e5aa1ee2650db9a2e4fa46ec9e511cb7b3b24e1d89e248d509b0

        Download Submit

      • C:\Windows\System32\perfh011.dat
        Filesize

        468KB

        MD5

        219b318d583d581f2ddc8724fd5f0b42

        SHA1

        0545f0bc4cb44fa931eff75a1d4c0b483747fc45

        SHA256

        83782682de6056af7f47dea667e18ba11f7663a3acf16fce395d27836f2db6e0

        SHA512

        d472834cf57eee873b39556c4220527b6fe402202d88c8b8c01a87b2928c1079ae6964393c63f102365ff2cdebfc6b1b80ba3ed769b45decd7952916682f44e5

        Download Submit

      • C:\Windows\System32\wbem\Performance\WmiApRpl.h
        Filesize

        3KB

        MD5

        b133a676d139032a27de3d9619e70091

        SHA1

        1248aa89938a13640252a79113930ede2f26f1fa

        SHA256

        ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

        SHA512

        c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

        Download Submit

      • C:\Windows\System32\wbem\Performance\WmiApRpl.ini
        Filesize

        29KB

        MD5

        ffdeea82ba4a5a65585103dd2a922dfe

        SHA1

        094c3794503245cc7dfa9e222d3504f449a5400b

        SHA256

        c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

        SHA512

        7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

        Download Submit

      • memory/1960-47-0x0000024660E00000-0x00000246617FC000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/5176-57-0x00007FFA70880000-0x00007FFA71221000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5176-25-0x00007FFA70B35000-0x00007FFA70B36000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5176-19-0x00007FFA70880000-0x00007FFA71221000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5176-21-0x00007FFA70880000-0x00007FFA71221000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5176-20-0x000000001C740000-0x000000001CC0E000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5176-18-0x00007FFA70B35000-0x00007FFA70B36000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5176-22-0x000000001C120000-0x000000001C1BC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/5176-27-0x00007FFA70880000-0x00007FFA71221000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5176-26-0x00007FFA70880000-0x00007FFA71221000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5176-23-0x0000000001B60000-0x0000000001B68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/5176-24-0x00007FFA70880000-0x00007FFA71221000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/5784-56-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/5784-4-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/5784-0-0x0000000074631000-0x0000000074632000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5784-3-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/5784-5-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/5784-2-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/5784-6-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/5784-1-0x0000000074630000-0x0000000074BE1000-memory.dmp

        Filesize

        5.7MB

        Download