njrat | abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df

General

Target

abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
Size

768KB
MD5

9d547d2e07746d84f0c9ce72502a9749
SHA1

03419c2d9dcdda38826203dad7a9ef3b5eff6280
SHA256

abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
SHA512

862c8b3205539c66a60deba6384a409f52b247c625c55a96c454bf69bf38a3690043eb0f88b4666dda5764742215c42fde5f343c9d3fea5e122e4677b7c4ed44

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

test.exesvchost.exe

pid process

1780 test.exe
1992 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b82593d475a899b9a3354da582932eb7.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b82593d475a899b9a3354da582932eb7.exe	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exetest.exe

pid process

972 cmd.exe
1780 test.exe

pid	process
972	cmd.exe
1780	test.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\b82593d475a899b9a3354da582932eb7 = "\"C:\\Users\\Admin\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b82593d475a899b9a3354da582932eb7 = "\"C:\\Users\\Admin\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

test.exe

pid	process
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe
1780	test.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

test.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1780	test.exe
Token: SeDebugPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe
Token: 33	1992	svchost.exe
Token: SeIncBasePriorityPrivilege	1992	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.execmd.exetest.exesvchost.exe

description	pid	process	target process
PID 1532 wrote to memory of 972	1532	abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe	cmd.exe
PID 1532 wrote to memory of 972	1532	abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe	cmd.exe
PID 1532 wrote to memory of 972	1532	abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe	cmd.exe
PID 1532 wrote to memory of 972	1532	abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe	cmd.exe
PID 972 wrote to memory of 1780	972	cmd.exe	test.exe
PID 972 wrote to memory of 1780	972	cmd.exe	test.exe
PID 972 wrote to memory of 1780	972	cmd.exe	test.exe
PID 972 wrote to memory of 1780	972	cmd.exe	test.exe
PID 1780 wrote to memory of 1992	1780	test.exe	svchost.exe
PID 1780 wrote to memory of 1992	1780	test.exe	svchost.exe
PID 1780 wrote to memory of 1992	1780	test.exe	svchost.exe
PID 1780 wrote to memory of 1992	1780	test.exe	svchost.exe
PID 1992 wrote to memory of 700	1992	svchost.exe	netsh.exe
PID 1992 wrote to memory of 700	1992	svchost.exe	netsh.exe
PID 1992 wrote to memory of 700	1992	svchost.exe	netsh.exe
PID 1992 wrote to memory of 700	1992	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe
"C:\Users\Admin\AppData\Local\Temp\abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\svchost.exe" "svchost.exe" ENABLE
5⤵
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
MD5
fad21654523f2840f6d7d749bc1399bd

SHA1
762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6

SHA256
336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314

SHA512
393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
MD5
fad21654523f2840f6d7d749bc1399bd

SHA1
762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6

SHA256
336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314

SHA512
393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5

Download Submit
C:\Users\Admin\svchost.exe
MD5
fad21654523f2840f6d7d749bc1399bd

SHA1
762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6

SHA256
336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314

SHA512
393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5

Download Submit
C:\Users\Admin\svchost.exe
MD5
fad21654523f2840f6d7d749bc1399bd

SHA1
762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6

SHA256
336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314

SHA512
393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
MD5
fad21654523f2840f6d7d749bc1399bd

SHA1
762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6

SHA256
336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314

SHA512
393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5

Download Submit
\Users\Admin\svchost.exe
MD5
fad21654523f2840f6d7d749bc1399bd

SHA1
762c60db8a4e7ddb2b5d56d65aa91f1e118b74b6

SHA256
336ab64b766c2f89731f9f9efa9174ec93bfcac753b16d40d58dbf4ea02fc314

SHA512
393d85d9cef85ce4c6743010c61b6e99e65e8130906803b200ded8f3dea4c495b4395aa6f953b296ee93d26229c3ad4559a4af640e9fb78f53318067c7a22cd5

Download Submit
memory/700-67-0x0000000000000000-mapping.dmp

Download
memory/972-54-0x0000000000000000-mapping.dmp

Download
memory/1780-57-0x0000000000000000-mapping.dmp

Download
memory/1780-59-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1780-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1992-62-0x0000000000000000-mapping.dmp

Download
memory/1992-66-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads