njrat | c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

General

Target

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Size

1.5MB
MD5

05def69117bc5228432feac2bed343d2
SHA1

7dadf53ee11702034176939a5d73891bf3cf5f61
SHA256

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA512

1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

3652 explorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93f19dda2412c86ad7520ba4198f39a0.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93f19dda2412c86ad7520ba4198f39a0.exe	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\93f19dda2412c86ad7520ba4198f39a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\93f19dda2412c86ad7520ba4198f39a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

explorer.exe

pid	process
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 3652 explorer.exe

description	pid	process
Token: SeDebugPrivilege	3652	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exeexplorer.exe

description	pid	process	target process
PID 1824 wrote to memory of 3652	1824	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe
PID 1824 wrote to memory of 3652	1824	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe
PID 1824 wrote to memory of 3652	1824	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe
PID 3652 wrote to memory of 2832	3652	explorer.exe	netsh.exe
PID 3652 wrote to memory of 2832	3652	explorer.exe	netsh.exe
PID 3652 wrote to memory of 2832	3652	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
"C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
3⤵
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
05def69117bc5228432feac2bed343d2

SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61

SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
05def69117bc5228432feac2bed343d2

SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61

SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Download Submit
memory/1824-117-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1824-118-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/1824-119-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/1824-120-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/1824-121-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/1824-115-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2832-131-0x0000000000000000-mapping.dmp

Download
memory/3652-122-0x0000000000000000-mapping.dmp

Download
memory/3652-132-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/3652-133-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3652-134-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3652-135-0x0000000002D13000-0x0000000002D15000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads