njrat | 81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9

General

Target

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Size

272KB
MD5

ec9ccaf9a8e0421748c3460f76289a48
SHA1

23aee36ceec415d2ebc48c8cc7ac1c12927bc1f5
SHA256

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9
SHA512

bdcdd39418b965d9918a63825daa15fd64e47316b515c472e03f9071beaa40ada6ae003c6448b9349f4298a7e987ed48edea23863b0d7b811cadebb83a5d0568

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

2144 system.exe

pid	process
2144	system.exe

Drops startup file 1 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

Drops file in Windows directory 3 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
File created	C:\Windows\assembly\Desktop.ini	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeDebugPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: SeIncBasePriorityPrivilege	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe
Token: 33	2144	system.exe
Token: SeIncBasePriorityPrivilege	2144	system.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

pid	process
2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe

description	pid	process	target process
PID 2680 wrote to memory of 2144	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe	system.exe
PID 2680 wrote to memory of 2144	2680	81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe
"C:\Users\Admin\AppData\Local\Temp\81b2dd1209938c7abbd7108bc064addd8ac5e5725743403215d76f0ed0cac0e9.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
574a3592c32eb216dd587f9251eea990

SHA1
17438599a6b3d38589344cfd43ea56c69e04401d

SHA256
c5c1e31e4f6ac4fc431cf20fe01460ec008329d0b7e757497852cc787556ba99

SHA512
a930786f05b663f1fba81bc4b50bbf3046b6c5c555e557b86af283d346c24c9a6f6518c422f94104d6e75e2bb15c68b148e5c7f0e657045c7e2b3c28edffd5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
574a3592c32eb216dd587f9251eea990

SHA1
17438599a6b3d38589344cfd43ea56c69e04401d

SHA256
c5c1e31e4f6ac4fc431cf20fe01460ec008329d0b7e757497852cc787556ba99

SHA512
a930786f05b663f1fba81bc4b50bbf3046b6c5c555e557b86af283d346c24c9a6f6518c422f94104d6e75e2bb15c68b148e5c7f0e657045c7e2b3c28edffd5bc

Download Submit
memory/2144-123-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/2680-116-0x0000000002C12000-0x0000000002C14000-memory.dmp

Filesize
8KB

Download
memory/2680-119-0x0000000002C16000-0x0000000002C18000-memory.dmp

Filesize
8KB

Download
memory/2680-120-0x0000000002C18000-0x0000000002C1A000-memory.dmp

Filesize
8KB

Download
memory/2680-115-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/2680-118-0x0000000002C15000-0x0000000002C16000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x0000000002C14000-0x0000000002C15000-memory.dmp

Filesize
4KB

Download
memory/2680-125-0x000000001D7A4000-0x000000001D7A5000-memory.dmp

Filesize
4KB

Download
memory/2680-124-0x000000001D7A2000-0x000000001D7A4000-memory.dmp

Filesize
8KB

Download
memory/2680-127-0x000000001D7A7000-0x000000001D7A8000-memory.dmp

Filesize
4KB

Download
memory/2680-126-0x000000001D7A5000-0x000000001D7A6000-memory.dmp

Filesize
4KB

Download
memory/2680-128-0x000000001D7A8000-0x000000001D7A9000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads