njrat | d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

General

Target

95605c11d4b59cb6b8a4661d91dd19de.exe
Size

164KB
MD5

95605c11d4b59cb6b8a4661d91dd19de
SHA1

238ed88b706987043038b7c965395b69bc290219
SHA256

d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc
SHA512

d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exe

pid process

1204 Client.exe
824 Client.exe
1592 Client.exe
1752 Client.exe

pid	process
1204	Client.exe
824	Client.exe
1592	Client.exe
1752	Client.exe

Drops startup file 2 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Loads dropped DLL 1 IoCs

Processes:

95605c11d4b59cb6b8a4661d91dd19de.exe

pid process

568 95605c11d4b59cb6b8a4661d91dd19de.exe

pid	process
568	95605c11d4b59cb6b8a4661d91dd19de.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .."	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

620 schtasks.exe
1988 schtasks.exe
1940 schtasks.exe
748 schtasks.exe
560 schtasks.exe

pid	process
620	schtasks.exe
1988	schtasks.exe
1940	schtasks.exe
748	schtasks.exe
560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Client.exe

description	pid	process
Token: SeDebugPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe
Token: 33	1204	Client.exe
Token: SeIncBasePriorityPrivilege	1204	Client.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

95605c11d4b59cb6b8a4661d91dd19de.exeClient.exetaskeng.exeClient.exeClient.exeClient.exe

description	pid	process	target process
PID 568 wrote to memory of 1384	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 1384	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 1384	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 1384	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 620	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 620	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 620	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 620	568	95605c11d4b59cb6b8a4661d91dd19de.exe	schtasks.exe
PID 568 wrote to memory of 1204	568	95605c11d4b59cb6b8a4661d91dd19de.exe	Client.exe
PID 568 wrote to memory of 1204	568	95605c11d4b59cb6b8a4661d91dd19de.exe	Client.exe
PID 568 wrote to memory of 1204	568	95605c11d4b59cb6b8a4661d91dd19de.exe	Client.exe
PID 568 wrote to memory of 1204	568	95605c11d4b59cb6b8a4661d91dd19de.exe	Client.exe
PID 1204 wrote to memory of 644	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 644	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 644	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 644	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 1988	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 1988	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 1988	1204	Client.exe	schtasks.exe
PID 1204 wrote to memory of 1988	1204	Client.exe	schtasks.exe
PID 1080 wrote to memory of 824	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 824	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 824	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 824	1080	taskeng.exe	Client.exe
PID 824 wrote to memory of 1628	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1628	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1628	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1628	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1940	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1940	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1940	824	Client.exe	schtasks.exe
PID 824 wrote to memory of 1940	824	Client.exe	schtasks.exe
PID 1080 wrote to memory of 1592	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 1592	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 1592	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 1592	1080	taskeng.exe	Client.exe
PID 1592 wrote to memory of 1972	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 1972	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 1972	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 1972	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 748	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 748	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 748	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 748	1592	Client.exe	schtasks.exe
PID 1080 wrote to memory of 1752	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 1752	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 1752	1080	taskeng.exe	Client.exe
PID 1080 wrote to memory of 1752	1080	taskeng.exe	Client.exe
PID 1752 wrote to memory of 1564	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 1564	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 1564	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 1564	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 560	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 560	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 560	1752	Client.exe	schtasks.exe
PID 1752 wrote to memory of 560	1752	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\95605c11d4b59cb6b8a4661d91dd19de.exe
"C:\Users\Admin\AppData\Local\Temp\95605c11d4b59cb6b8a4661d91dd19de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\95605c11d4b59cb6b8a4661d91dd19de.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:620

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:644

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\taskeng.exe
taskeng.exe {B91C45E4-2DC8-421E-BF53-9079DC96DCF0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1940

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:748

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client.exe
MD5
95605c11d4b59cb6b8a4661d91dd19de

SHA1
238ed88b706987043038b7c965395b69bc290219

SHA256
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

SHA512
d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
MD5
95605c11d4b59cb6b8a4661d91dd19de

SHA1
238ed88b706987043038b7c965395b69bc290219

SHA256
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

SHA512
d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
MD5
95605c11d4b59cb6b8a4661d91dd19de

SHA1
238ed88b706987043038b7c965395b69bc290219

SHA256
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

SHA512
d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
MD5
95605c11d4b59cb6b8a4661d91dd19de

SHA1
238ed88b706987043038b7c965395b69bc290219

SHA256
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

SHA512
d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
MD5
95605c11d4b59cb6b8a4661d91dd19de

SHA1
238ed88b706987043038b7c965395b69bc290219

SHA256
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

SHA512
d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
MD5
95605c11d4b59cb6b8a4661d91dd19de

SHA1
238ed88b706987043038b7c965395b69bc290219

SHA256
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

SHA512
d542f49787cfc52cd40b43b50e4ff967b240503788a6454c3a94d59f904f78a53dde9c497704904f7cba8361ba8cc740ce35b5a45172955c583650cfb8bab5bc

Download Submit
memory/560-83-0x0000000000000000-mapping.dmp

Download
memory/568-56-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/568-54-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/620-57-0x0000000000000000-mapping.dmp

Download
memory/644-63-0x0000000000000000-mapping.dmp

Download
memory/748-77-0x0000000000000000-mapping.dmp

Download
memory/824-66-0x0000000000000000-mapping.dmp

Download
memory/824-71-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1204-64-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1204-59-0x0000000000000000-mapping.dmp

Download
memory/1384-55-0x0000000000000000-mapping.dmp

Download
memory/1564-82-0x0000000000000000-mapping.dmp

Download
memory/1592-75-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1592-72-0x0000000000000000-mapping.dmp

Download
memory/1628-69-0x0000000000000000-mapping.dmp

Download
memory/1752-78-0x0000000000000000-mapping.dmp

Download
memory/1752-81-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1940-70-0x0000000000000000-mapping.dmp

Download
memory/1972-76-0x0000000000000000-mapping.dmp

Download
memory/1988-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads