njrat | ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145

General

Target

ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
Size

310KB
MD5

7d800ad9f415b03e6bb9a029fa57a3ec
SHA1

73d737b77a8fea41dad18dc6cdde0892b0dc9796
SHA256

ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145
SHA512

5549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

System.exe

pid process

304 System.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
304	System.exe

Drops startup file 2 IoCs

Processes:

System.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65c7a4a4880bc336b681db036e15111.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f65c7a4a4880bc336b681db036e15111.exe	System.exe

Loads dropped DLL 1 IoCs

Processes:

ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe

pid process

1540 ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe

pid	process
1540	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe

Drops file in Windows directory 2 IoCs

Processes:

ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

System.exe

description	pid	process
Token: SeDebugPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe
Token: 33	304	System.exe
Token: SeIncBasePriorityPrivilege	304	System.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exeSystem.exe

description	pid	process	target process
PID 1540 wrote to memory of 304	1540	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe	System.exe
PID 1540 wrote to memory of 304	1540	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe	System.exe
PID 1540 wrote to memory of 304	1540	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe	System.exe
PID 1540 wrote to memory of 304	1540	ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe	System.exe
PID 304 wrote to memory of 1136	304	System.exe	netsh.exe
PID 304 wrote to memory of 1136	304	System.exe	netsh.exe
PID 304 wrote to memory of 1136	304	System.exe	netsh.exe
PID 304 wrote to memory of 1136	304	System.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe
"C:\Users\Admin\AppData\Local\Temp\ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\System.exe
"C:\Users\Admin\AppData\Roaming\System.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE
3⤵
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System.exe
MD5
7d800ad9f415b03e6bb9a029fa57a3ec

SHA1
73d737b77a8fea41dad18dc6cdde0892b0dc9796

SHA256
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145

SHA512
5549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
MD5
7d800ad9f415b03e6bb9a029fa57a3ec

SHA1
73d737b77a8fea41dad18dc6cdde0892b0dc9796

SHA256
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145

SHA512
5549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a

Download Submit
\Users\Admin\AppData\Roaming\System.exe
MD5
7d800ad9f415b03e6bb9a029fa57a3ec

SHA1
73d737b77a8fea41dad18dc6cdde0892b0dc9796

SHA256
ab5bfb7c642e59a9c8a6f372ee4847bf5cbc9222ba8a4459997e7cd64cb97145

SHA512
5549ec9bdf48419ad8edaceb1120ad4c8ccc0ead7057a7349ca40ccd997c70244eb1c102a4f63e03acd76947a76a0456dc00473458c18509b803451779c5bf0a

Download Submit
memory/304-56-0x0000000000000000-mapping.dmp

Download
memory/304-60-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1136-61-0x0000000000000000-mapping.dmp

Download
memory/1540-53-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1540-54-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads