njrat | 72611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7

General

Target

72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe
Size

158KB
MD5

d682f703d4b78ad2c57d3fc91e40df9b
SHA1

49dfe802bf98c59eff10dbe8ec360ed53114bb6a
SHA256

72611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7
SHA512

384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Microsoft OneDrive.exe

pid process

268 Microsoft OneDrive.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
268	Microsoft OneDrive.exe

Drops startup file 2 IoCs

Processes:

Microsoft OneDrive.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e670d2a55524d983fee0be3df7ccf301.exe	Microsoft OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e670d2a55524d983fee0be3df7ccf301.exe	Microsoft OneDrive.exe

Loads dropped DLL 1 IoCs

Processes:

72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe

pid process

844 72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe

pid	process
844	72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Microsoft OneDrive.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\e670d2a55524d983fee0be3df7ccf301 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft OneDrive.exe\" .."	Microsoft OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e670d2a55524d983fee0be3df7ccf301 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft OneDrive.exe\" .."	Microsoft OneDrive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Microsoft OneDrive.exe

description	pid	process
Token: SeDebugPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe
Token: 33	268	Microsoft OneDrive.exe
Token: SeIncBasePriorityPrivilege	268	Microsoft OneDrive.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exeMicrosoft OneDrive.exe

description	pid	process	target process
PID 844 wrote to memory of 268	844	72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe	Microsoft OneDrive.exe
PID 844 wrote to memory of 268	844	72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe	Microsoft OneDrive.exe
PID 844 wrote to memory of 268	844	72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe	Microsoft OneDrive.exe
PID 844 wrote to memory of 268	844	72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe	Microsoft OneDrive.exe
PID 268 wrote to memory of 1136	268	Microsoft OneDrive.exe	netsh.exe
PID 268 wrote to memory of 1136	268	Microsoft OneDrive.exe	netsh.exe
PID 268 wrote to memory of 1136	268	Microsoft OneDrive.exe	netsh.exe
PID 268 wrote to memory of 1136	268	Microsoft OneDrive.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe
"C:\Users\Admin\AppData\Local\Temp\72611A2A7DB8978D61F2D8659CD56C0595D96AC7FBB03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe" "Microsoft OneDrive.exe" ENABLE
3⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe

MD5
d682f703d4b78ad2c57d3fc91e40df9b

SHA1
49dfe802bf98c59eff10dbe8ec360ed53114bb6a

SHA256
72611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7

SHA512
384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe

MD5
d682f703d4b78ad2c57d3fc91e40df9b

SHA1
49dfe802bf98c59eff10dbe8ec360ed53114bb6a

SHA256
72611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7

SHA512
384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe

MD5
d682f703d4b78ad2c57d3fc91e40df9b

SHA1
49dfe802bf98c59eff10dbe8ec360ed53114bb6a

SHA256
72611a2a7db8978d61f2d8659cd56c0595d96ac7fbb03adcc6000e40760062e7

SHA512
384e5269ba21c749c9d320688d866e2047891744d4059767fb7e9230908016b9fc12fda4df20647555f6e68fafc5ffe2cbe0b780049de8c76c275c7cdb83a5c1

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/268-61-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/844-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/844-55-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1136-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads