njrat | 1a8cd081624acf2e77c9851f2e223e6542971749abecc20029d290ffd40fccde

General

Target

1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Size

162KB
MD5

46aafec84dd26ba8e4676b91e7a33b1c
SHA1

7b0041322232fb0776c7fec31914049e0f980427
SHA256

1a8cd081624acf2e77c9851f2e223e6542971749abecc20029d290ffd40fccde
SHA512

c136b4745ce1febc97d691a4b0261412cda6a64e0110989bb37938af77cbdd84eb92ac239af29e11172566c6b759cc35bde43845b5f52209f73baeda14a754c6

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Y9cA8bTK55jM6Vs2u1ah.exeinternet.exe

pid process

1948 Y9cA8bTK55jM6Vs2u1ah.exe
808 internet.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1948	Y9cA8bTK55jM6Vs2u1ah.exe
808	internet.exe

Drops startup file 2 IoCs

Processes:

internet.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b5816ba242f2863f6da2fff3128272c.exe	internet.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1b5816ba242f2863f6da2fff3128272c.exe	internet.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

internet.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b5816ba242f2863f6da2fff3128272c = "\"C:\\Users\\Admin\\AppData\\Roaming\\internet.exe\" .."	internet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1b5816ba242f2863f6da2fff3128272c = "\"C:\\Users\\Admin\\AppData\\Roaming\\internet.exe\" .."	internet.exe

Drops file in Windows directory 2 IoCs

Processes:

1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeinternet.exe

description	pid	process
Token: SeDebugPrivilege	2708	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Token: 33	2708	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Token: SeIncBasePriorityPrivilege	2708	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
Token: SeDebugPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe
Token: 33	808	internet.exe
Token: SeIncBasePriorityPrivilege	808	internet.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exeY9cA8bTK55jM6Vs2u1ah.exeinternet.exe

description	pid	process	target process
PID 2708 wrote to memory of 1948	2708	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe	Y9cA8bTK55jM6Vs2u1ah.exe
PID 2708 wrote to memory of 1948	2708	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe	Y9cA8bTK55jM6Vs2u1ah.exe
PID 2708 wrote to memory of 1948	2708	1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe	Y9cA8bTK55jM6Vs2u1ah.exe
PID 1948 wrote to memory of 808	1948	Y9cA8bTK55jM6Vs2u1ah.exe	internet.exe
PID 1948 wrote to memory of 808	1948	Y9cA8bTK55jM6Vs2u1ah.exe	internet.exe
PID 1948 wrote to memory of 808	1948	Y9cA8bTK55jM6Vs2u1ah.exe	internet.exe
PID 808 wrote to memory of 3948	808	internet.exe	netsh.exe
PID 808 wrote to memory of 3948	808	internet.exe	netsh.exe
PID 808 wrote to memory of 3948	808	internet.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe
"C:\Users\Admin\AppData\Local\Temp\1A8CD081624ACF2E77C9851F2E223E6542971749ABECC.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe
"C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\internet.exe
"C:\Users\Admin\AppData\Roaming\internet.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\internet.exe" "internet.exe" ENABLE
4⤵
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe
MD5
43095f8e16dcbb0edc3135fb938e7f97

SHA1
dfbe3d053c76582e4f8bc4376da2fe366f0eea04

SHA256
414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169

SHA512
1f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515

Download Submit
C:\Users\Admin\AppData\Roaming\Y9cA8bTK55jM6Vs2u1ah.exe
MD5
43095f8e16dcbb0edc3135fb938e7f97

SHA1
dfbe3d053c76582e4f8bc4376da2fe366f0eea04

SHA256
414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169

SHA512
1f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515

Download Submit
C:\Users\Admin\AppData\Roaming\internet.exe
MD5
43095f8e16dcbb0edc3135fb938e7f97

SHA1
dfbe3d053c76582e4f8bc4376da2fe366f0eea04

SHA256
414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169

SHA512
1f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515

Download Submit
C:\Users\Admin\AppData\Roaming\internet.exe
MD5
43095f8e16dcbb0edc3135fb938e7f97

SHA1
dfbe3d053c76582e4f8bc4376da2fe366f0eea04

SHA256
414959b916a5536e997ccc5c762fd7fadaad4a3447ce56a0e1ed26fa797e7169

SHA512
1f74296ce3da87ab08f1581e698f39c772e1da5d89def5f5b429e4d8cdce03b8fb3354c7f79870bb728e6bfe23cce34a7f11c3b7401bf46f376914d6ccf9e515

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
MD5
ee0f046b0a649937bb0251e8d866a7b2

SHA1
d1f424c5bcfb8dd7b51682a3ff8be5410ecd28a0

SHA256
065eea2b0ad58cf09548ae49cbf9ab5b2a0bb6d3f95d6c2def3201e1290b0915

SHA512
c7481b507ffd2be109cb608173fbbc911da72d2bbbbf1f5aaca5bda6d15e9fff6b9164738882c03a77c30f99768f0ebf1aa5507d16a957103f5606c234d293df

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
MD5
ee0f046b0a649937bb0251e8d866a7b2

SHA1
d1f424c5bcfb8dd7b51682a3ff8be5410ecd28a0

SHA256
065eea2b0ad58cf09548ae49cbf9ab5b2a0bb6d3f95d6c2def3201e1290b0915

SHA512
c7481b507ffd2be109cb608173fbbc911da72d2bbbbf1f5aaca5bda6d15e9fff6b9164738882c03a77c30f99768f0ebf1aa5507d16a957103f5606c234d293df

Download Submit
memory/808-121-0x0000000000000000-mapping.dmp

Download
memory/808-125-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1948-116-0x0000000000000000-mapping.dmp

Download
memory/1948-120-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2708-115-0x0000000000700000-0x000000000084A000-memory.dmp

Filesize
1.3MB

Download
memory/3948-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads