njrat | a80c84111f8051d4ab044b3e184f233dc141c5f73be9a3046104d4bf10e53848

General

Target

0F20E76E084D946DA9580D6BCB9E8F36.exe
Size

2.3MB
MD5

0f20e76e084d946da9580d6bcb9e8f36
SHA1

dbbf7c746f73d5cce936ffc4fa1dbedaeb7e883d
SHA256

a80c84111f8051d4ab044b3e184f233dc141c5f73be9a3046104d4bf10e53848
SHA512

d57e988e36845c24a4b0583e7c7dec3f3429bf545eee8b6406750a7b581f409806ecb0e074699e66dbdc0f5ad8be1a7c48b057f4f9f3b2d573774ff206f2d73b

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

dwim.exedwim.exe

pid process

2088 dwim.exe
3344 dwim.exe

pid	process
2088	dwim.exe
3344	dwim.exe

Drops startup file 2 IoCs

Processes:

dwim.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31da7ad4532d49133bf7c3d0d35a58b5.exe	dwim.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31da7ad4532d49133bf7c3d0d35a58b5.exe	dwim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

200 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

4052 dw20.exe
4052 dw20.exe

pid	process
200	PING.EXE

pid	process
4052	dw20.exe
4052	dw20.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

dwim.exe

description	pid	process
Token: SeDebugPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe
Token: 33	3344	dwim.exe
Token: SeIncBasePriorityPrivilege	3344	dwim.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

0F20E76E084D946DA9580D6BCB9E8F36.exedwim.exedwim.execmd.exe

description	pid	process	target process
PID 4472 wrote to memory of 2088	4472	0F20E76E084D946DA9580D6BCB9E8F36.exe	dwim.exe
PID 4472 wrote to memory of 2088	4472	0F20E76E084D946DA9580D6BCB9E8F36.exe	dwim.exe
PID 4472 wrote to memory of 4052	4472	0F20E76E084D946DA9580D6BCB9E8F36.exe	dw20.exe
PID 4472 wrote to memory of 4052	4472	0F20E76E084D946DA9580D6BCB9E8F36.exe	dw20.exe
PID 2088 wrote to memory of 3344	2088	dwim.exe	dwim.exe
PID 2088 wrote to memory of 3344	2088	dwim.exe	dwim.exe
PID 3344 wrote to memory of 868	3344	dwim.exe	cmd.exe
PID 3344 wrote to memory of 868	3344	dwim.exe	cmd.exe
PID 868 wrote to memory of 200	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 200	868	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0F20E76E084D946DA9580D6BCB9E8F36.exe
"C:\Users\Admin\AppData\Local\Temp\0F20E76E084D946DA9580D6BCB9E8F36.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\dwim.exe
"C:\Users\Admin\AppData\Local\Temp\dwim.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Roaming\dwim.exe
"C:\Users\Admin\AppData\Roaming\dwim.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\dwim.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\PING.EXE
ping 0 -n 2
5⤵
- Runs ping.exe
PID:200

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1400
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\dwim.exe.log
MD5
b6c5b5908942da31c2f73a44b3149012

SHA1
f17110e4d40e8e83ae1e147bc1e91f675d2e2f21

SHA256
e4d10c05c02616ff2aaf6375815128c600bce491bdc13c6468024ee04846d049

SHA512
9a630767909c367ccf4cbc2f8481121a90334b692c47639d9d00d704b61cb4139d1989f386cc49ea4155507a334c31d2ed1bea6ac4db56d90c0319c24f5769fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
C:\Users\Admin\AppData\Roaming\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
C:\Users\Admin\AppData\Roaming\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
memory/200-135-0x0000000000000000-mapping.dmp

Download
memory/868-133-0x0000000000000000-mapping.dmp

Download
memory/2088-121-0x0000000002682000-0x0000000002684000-memory.dmp

Filesize
8KB

Download
memory/2088-123-0x0000000002685000-0x0000000002686000-memory.dmp

Filesize
4KB

Download
memory/2088-124-0x0000000002686000-0x0000000002688000-memory.dmp

Filesize
8KB

Download
memory/2088-122-0x0000000002684000-0x0000000002685000-memory.dmp

Filesize
4KB

Download
memory/2088-120-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/2088-116-0x0000000000000000-mapping.dmp

Download
memory/3344-125-0x0000000000000000-mapping.dmp

Download
memory/3344-130-0x0000000001274000-0x0000000001275000-memory.dmp

Filesize
4KB

Download
memory/3344-129-0x0000000001272000-0x0000000001274000-memory.dmp

Filesize
8KB

Download
memory/3344-131-0x0000000001275000-0x0000000001276000-memory.dmp

Filesize
4KB

Download
memory/3344-132-0x0000000001276000-0x0000000001278000-memory.dmp

Filesize
8KB

Download
memory/3344-128-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/4052-119-0x0000000000000000-mapping.dmp

Download
memory/4472-115-0x0000000003340000-0x0000000003342000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads