njrat | b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e

General

Target

B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
Size

93KB
MD5

a32cfcc44e02557cdaa58e5d0d0bfecf
SHA1

e528b1545dad304a0e11c5b3d85a54bcb6d08124
SHA256

b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
SHA512

7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60

Score

10^/10

njrat otcuser evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

otcuser

C2

FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTAzNzI=

Mutex

26996ddd51e9bdc1472eeb1acc1c554a

Attributes

reg_key
26996ddd51e9bdc1472eeb1acc1c554a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1348 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe	server.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 2 IoCs

Processes:

B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exe

description	ioc	process
File created	C:\Windows\server.exe	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
File opened for modification	C:\Windows\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe
1348	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1348 server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe
Token: 33	1348	server.exe
Token: SeIncBasePriorityPrivilege	1348	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exe

description	pid	process	target process
PID 796 wrote to memory of 1348	796	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 796 wrote to memory of 1348	796	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 796 wrote to memory of 1348	796	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 796 wrote to memory of 1348	796	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 1348 wrote to memory of 1572	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 1572	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 1572	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 1572	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 300	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 300	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 300	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 300	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 880	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 880	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 880	1348	server.exe	netsh.exe
PID 1348 wrote to memory of 880	1348	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
"C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\server.exe
"C:\Windows\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
3⤵
PID:1572

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
3⤵
PID:880

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Windows\server.exe"
3⤵
PID:300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
C:\Windows\server.exe
MD5
a32cfcc44e02557cdaa58e5d0d0bfecf

SHA1
e528b1545dad304a0e11c5b3d85a54bcb6d08124

SHA256
b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e

SHA512
7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60

Download Submit
C:\Windows\server.exe
MD5
a32cfcc44e02557cdaa58e5d0d0bfecf

SHA1
e528b1545dad304a0e11c5b3d85a54bcb6d08124

SHA256
b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e

SHA512
7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60

Download Submit
memory/300-63-0x0000000000000000-mapping.dmp

Download
memory/796-53-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/796-54-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/880-64-0x0000000000000000-mapping.dmp

Download
memory/1348-55-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1572-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads