njrat | f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293

General

Target

f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
Size

141KB
MD5

d8ef1f38ed340d0cd25c8eef8c4751ce
SHA1

a54e7a4c15bb072191adff6676368f75dc3e16fa
SHA256

f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293
SHA512

8ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

660 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
660	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83a85b3692d1381f2323a4ea4cfeb413.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83a85b3692d1381f2323a4ea4cfeb413.exe	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\83a85b3692d1381f2323a4ea4cfeb413 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83a85b3692d1381f2323a4ea4cfeb413 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe
Token: 33	660	server.exe
Token: SeIncBasePriorityPrivilege	660	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exeserver.exe

description	pid	process	target process
PID 1724 wrote to memory of 660	1724	f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe	server.exe
PID 1724 wrote to memory of 660	1724	f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe	server.exe
PID 1724 wrote to memory of 660	1724	f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe	server.exe
PID 660 wrote to memory of 988	660	server.exe	netsh.exe
PID 660 wrote to memory of 988	660	server.exe	netsh.exe
PID 660 wrote to memory of 988	660	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe
"C:\Users\Admin\AppData\Local\Temp\f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
d8ef1f38ed340d0cd25c8eef8c4751ce

SHA1
a54e7a4c15bb072191adff6676368f75dc3e16fa

SHA256
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293

SHA512
8ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
d8ef1f38ed340d0cd25c8eef8c4751ce

SHA1
a54e7a4c15bb072191adff6676368f75dc3e16fa

SHA256
f666cdfc7184c0b4df9dfb2c5786817d06da8031c215fd6c0ab809e80def8293

SHA512
8ca363dca8be5942dbe4a45422834267dd088a6b660a2319e1b53712f077a37f0948ab03665965a99b3b105b41870765ce1fec07690b2a83f98c7cfd8fb5535b

Download Submit
memory/660-59-0x000007FEF28B0000-0x000007FEF3946000-memory.dmp

Filesize
16.6MB

Download
memory/660-60-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/1724-54-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/1724-55-0x000007FEF2AC0000-0x000007FEF3B56000-memory.dmp

Filesize
16.6MB

Download
memory/1724-56-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads