njrat | 72810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613

General

Target

af44aa313103ca0f0b8fc6062c761ec7.exe
Size

233KB
MD5

af44aa313103ca0f0b8fc6062c761ec7
SHA1

bb8932b35fa03906660ea71675e7db445f1256c0
SHA256

72810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613
SHA512

da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

System32.exe

pid process

984 System32.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
984	System32.exe

Drops startup file 2 IoCs

Processes:

System32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf0ad6aa5c5016fd4654ce9b75cef8b.exe	System32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf0ad6aa5c5016fd4654ce9b75cef8b.exe	System32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf0ad6aa5c5016fd4654ce9b75cef8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcf0ad6aa5c5016fd4654ce9b75cef8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

System32.exe

description	pid	process
Token: SeDebugPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe
Token: 33	984	System32.exe
Token: SeIncBasePriorityPrivilege	984	System32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

af44aa313103ca0f0b8fc6062c761ec7.exeSystem32.exe

description	pid	process	target process
PID 1316 wrote to memory of 984	1316	af44aa313103ca0f0b8fc6062c761ec7.exe	System32.exe
PID 1316 wrote to memory of 984	1316	af44aa313103ca0f0b8fc6062c761ec7.exe	System32.exe
PID 984 wrote to memory of 1044	984	System32.exe	netsh.exe
PID 984 wrote to memory of 1044	984	System32.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\af44aa313103ca0f0b8fc6062c761ec7.exe
"C:\Users\Admin\AppData\Local\Temp\af44aa313103ca0f0b8fc6062c761ec7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\System32.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
3⤵
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System32.exe
MD5
af44aa313103ca0f0b8fc6062c761ec7

SHA1
bb8932b35fa03906660ea71675e7db445f1256c0

SHA256
72810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613

SHA512
da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829

Download Submit
C:\Users\Admin\AppData\Local\Temp\System32.exe
MD5
af44aa313103ca0f0b8fc6062c761ec7

SHA1
bb8932b35fa03906660ea71675e7db445f1256c0

SHA256
72810f2bd35fd54d8fca2fba3b626dd86983d805df4e9e737b8b76cfc8e8c613

SHA512
da2d2f1e389c948980c5bfb34ba4cc2a840ad189d1f283c7de2a18bf3e8438430e20a38c9ae69e333e4fb48d72c74814fc92470bf8b2575bfa90e54b69746829

Download Submit
memory/984-6-0x0000000000000000-mapping.dmp

Download
memory/984-9-0x00007FF8DA440000-0x00007FF8DAE2C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-13-0x0000000000000000-mapping.dmp

Download
memory/1316-2-0x00007FF8DA440000-0x00007FF8DAE2C000-memory.dmp

Filesize
9.9MB

Download
memory/1316-3-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1316-5-0x00000000014D0000-0x00000000014D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads