njrat | 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9

General

Target

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Size

272KB
MD5

ec9ccaf9a8e0421748c3460f76289a48
SHA1

23aee36ceec415d2ebc48c8cc7ac1c12927bc1f5
SHA256

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9
SHA512

bdcdd39418b965d9918a63825daa15fd64e47316b515c472e03f9071beaa40ada6ae003c6448b9349f4298a7e987ed48edea23863b0d7b811cadebb83a5d0568

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

760 system.exe

pid	process
760	system.exe

Drops startup file 1 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeDebugPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe
Token: 33	760	system.exe
Token: SeIncBasePriorityPrivilege	760	system.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

pid	process
956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

description	pid	process	target process
PID 956 wrote to memory of 760	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe	system.exe
PID 956 wrote to memory of 760	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe	system.exe
PID 956 wrote to memory of 760	956	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
"C:\Users\Admin\AppData\Local\Temp\81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.exe

MD5
574a3592c32eb216dd587f9251eea990

SHA1
17438599a6b3d38589344cfd43ea56c69e04401d

SHA256
c5c1e31e4f6ac4fc431cf20fe01460ec008329d0b7e757497852cc787556ba99

SHA512
a930786f05b663f1fba81bc4b50bbf3046b6c5c555e557b86af283d346c24c9a6f6518c422f94104d6e75e2bb15c68b148e5c7f0e657045c7e2b3c28edffd5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

MD5
574a3592c32eb216dd587f9251eea990

SHA1
17438599a6b3d38589344cfd43ea56c69e04401d

SHA256
c5c1e31e4f6ac4fc431cf20fe01460ec008329d0b7e757497852cc787556ba99

SHA512
a930786f05b663f1fba81bc4b50bbf3046b6c5c555e557b86af283d346c24c9a6f6518c422f94104d6e75e2bb15c68b148e5c7f0e657045c7e2b3c28edffd5bc

Download Submit
memory/760-64-0x0000000002040000-0x0000000002042000-memory.dmp

Filesize
8KB

Download
memory/760-63-0x000007FEF2F50000-0x000007FEF3FE6000-memory.dmp

Filesize
16.6MB

Download
memory/956-58-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-59-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-60-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-54-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-57-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-56-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-55-0x000007FEF2F50000-0x000007FEF3FE6000-memory.dmp

Filesize
16.6MB

Download
memory/956-65-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-66-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-67-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-68-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download
memory/956-69-0x00000000003C0000-0x0000000000720000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads