njrat | b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e

General

Target

B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
Size

93KB
MD5

a32cfcc44e02557cdaa58e5d0d0bfecf
SHA1

e528b1545dad304a0e11c5b3d85a54bcb6d08124
SHA256

b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e
SHA512

7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60

Score

10^/10

njrat otcuser evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

otcuser

C2

FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTAzNzI=

Mutex

26996ddd51e9bdc1472eeb1acc1c554a

Attributes

reg_key
26996ddd51e9bdc1472eeb1acc1c554a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1912 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26996ddd51e9bdc1472eeb1acc1c554aWindows Update.exe	server.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 2 IoCs

Processes:

B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exe

description	ioc	process
File created	C:\Windows\server.exe	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
File opened for modification	C:\Windows\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe
1912	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1912 server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe
Token: 33	1912	server.exe
Token: SeIncBasePriorityPrivilege	1912	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeserver.exe

description	pid	process	target process
PID 2760 wrote to memory of 1912	2760	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 2760 wrote to memory of 1912	2760	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 2760 wrote to memory of 1912	2760	B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe	server.exe
PID 1912 wrote to memory of 504	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 504	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 504	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 1932	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 1932	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 1932	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 2304	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 2304	1912	server.exe	netsh.exe
PID 1912 wrote to memory of 2304	1912	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe
"C:\Users\Admin\AppData\Local\Temp\B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\server.exe
"C:\Windows\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
3⤵
PID:504

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Windows\server.exe"
3⤵
PID:1932

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
3⤵
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
MD5
bbcd2be775370c1e106e66d077a93f3b

SHA1
a44b6a98f30e3275fc304bc3b29e0eab8ae47f20

SHA256
a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1

SHA512
bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72

Download Submit
C:\Windows\server.exe
MD5
a32cfcc44e02557cdaa58e5d0d0bfecf

SHA1
e528b1545dad304a0e11c5b3d85a54bcb6d08124

SHA256
b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e

SHA512
7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60

Download Submit
C:\Windows\server.exe
MD5
a32cfcc44e02557cdaa58e5d0d0bfecf

SHA1
e528b1545dad304a0e11c5b3d85a54bcb6d08124

SHA256
b1a1e14bc010b33f4aaf307745f56ebb6fc7aa2f156c1c38c645432ed7bca50e

SHA512
7a357c990e953e781cd84e2991d76705312ba9e439d478d2480d9984dad3cca256de294b80dc0c391b89678cf15e080167696a5af0f79b0827fed7eafdf32d60

Download Submit
memory/504-121-0x0000000000000000-mapping.dmp

Download
memory/1912-116-0x0000000000000000-mapping.dmp

Download
memory/1912-120-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1932-122-0x0000000000000000-mapping.dmp

Download
memory/2304-123-0x0000000000000000-mapping.dmp

Download
memory/2760-115-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads