njrat | 32eb5402577cc2cf237816b597a6c466e63e373791561cd74040e6569694ef91

General

Target

32EB5402577CC2CF237816B597A6C466E63E373791561.exe
Size

369KB
MD5

66bf6c9129b65e59e7f84d5f5e9f58c7
SHA1

ada2de51f38ef11260874ee9ba1a5154ed8d2975
SHA256

32eb5402577cc2cf237816b597a6c466e63e373791561cd74040e6569694ef91
SHA512

f25c90c253ba7c7b3bec89d5231c27a1c70d6ed8abc87681df4cccf633bc7c9a2af8c2d8103a05be920cc02d3a28c58ea3933e29d4780824cbc6568b381b7d3b

Score

10^/10

njrat suricata trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

taskmngr.exetaskmngr.exe

pid process

1592 taskmngr.exe
2716 taskmngr.exe

pid	process
1592	taskmngr.exe
2716	taskmngr.exe

Drops startup file 2 IoCs

Processes:

taskmngr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\56afb7245a64d18d5f362ec6edce9740.exe	taskmngr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\56afb7245a64d18d5f362ec6edce9740.exe	taskmngr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3120 3968 WerFault.exe 32EB5402577CC2CF237816B597A6C466E63E373791561.exe

pid	pid_target	process	target process
3120	3968	WerFault.exe	32EB5402577CC2CF237816B597A6C466E63E373791561.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

WerFault.exetaskmngr.exe

description	pid	process
Token: SeDebugPrivilege	3120	WerFault.exe
Token: SeDebugPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe
Token: 33	2716	taskmngr.exe
Token: SeIncBasePriorityPrivilege	2716	taskmngr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

32EB5402577CC2CF237816B597A6C466E63E373791561.exetaskmngr.exe

description	pid	process	target process
PID 3968 wrote to memory of 1592	3968	32EB5402577CC2CF237816B597A6C466E63E373791561.exe	taskmngr.exe
PID 3968 wrote to memory of 1592	3968	32EB5402577CC2CF237816B597A6C466E63E373791561.exe	taskmngr.exe
PID 1592 wrote to memory of 2716	1592	taskmngr.exe	taskmngr.exe
PID 1592 wrote to memory of 2716	1592	taskmngr.exe	taskmngr.exe

C:\Users\Admin\AppData\Local\Temp\32EB5402577CC2CF237816B597A6C466E63E373791561.exe
"C:\Users\Admin\AppData\Local\Temp\32EB5402577CC2CF237816B597A6C466E63E373791561.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\taskmngr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmngr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\taskmngr.exe
"C:\Users\Admin\AppData\Roaming\taskmngr.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3968 -s 1044
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\taskmngr.exe
MD5
efd9ba2dcf07cb74c861946ea1e0d941

SHA1
0b19adddd86438fa0bfae27363462eb7aaa061bc

SHA256
4a18f29fdce4f3815b160e0dbcbb169d22c681a65341694497f8a121a6723e07

SHA512
af3c3b499329ff3fb3486618e9babff143a43f052eaabac3adc5c0cb796a288b559627f714663b5e6545f7e022bc7cf126b198f18ed9506ac13eb86adc4d5ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskmngr.exe
MD5
efd9ba2dcf07cb74c861946ea1e0d941

SHA1
0b19adddd86438fa0bfae27363462eb7aaa061bc

SHA256
4a18f29fdce4f3815b160e0dbcbb169d22c681a65341694497f8a121a6723e07

SHA512
af3c3b499329ff3fb3486618e9babff143a43f052eaabac3adc5c0cb796a288b559627f714663b5e6545f7e022bc7cf126b198f18ed9506ac13eb86adc4d5ffd

Download Submit
C:\Users\Admin\AppData\Roaming\taskmngr.exe
MD5
efd9ba2dcf07cb74c861946ea1e0d941

SHA1
0b19adddd86438fa0bfae27363462eb7aaa061bc

SHA256
4a18f29fdce4f3815b160e0dbcbb169d22c681a65341694497f8a121a6723e07

SHA512
af3c3b499329ff3fb3486618e9babff143a43f052eaabac3adc5c0cb796a288b559627f714663b5e6545f7e022bc7cf126b198f18ed9506ac13eb86adc4d5ffd

Download Submit
C:\Users\Admin\AppData\Roaming\taskmngr.exe
MD5
efd9ba2dcf07cb74c861946ea1e0d941

SHA1
0b19adddd86438fa0bfae27363462eb7aaa061bc

SHA256
4a18f29fdce4f3815b160e0dbcbb169d22c681a65341694497f8a121a6723e07

SHA512
af3c3b499329ff3fb3486618e9babff143a43f052eaabac3adc5c0cb796a288b559627f714663b5e6545f7e022bc7cf126b198f18ed9506ac13eb86adc4d5ffd

Download Submit
memory/1592-117-0x0000000000000000-mapping.dmp

Download
memory/1592-121-0x00000000012A0000-0x00000000012A2000-memory.dmp

Filesize
8KB

Download
memory/2716-122-0x0000000000000000-mapping.dmp

Download
memory/2716-125-0x0000000002D90000-0x0000000002D92000-memory.dmp

Filesize
8KB

Download
memory/3968-115-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3968-120-0x000000001B330000-0x000000001B332000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads