njrat | 7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74

General

Target

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Size

1.8MB
MD5

ce0f944b84b823e1267175d6b4f5cdbd
SHA1

d20e4bd150dd042620c288f856ac26743239e3fd
SHA256

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74
SHA512

9320426b1f43b46675bc4255bc8615aca4f11a5d159991734b37ddecc2f0e8c79fe9f4a958961f4d1dea09177cb8886b3cbf9fd82a637b4467959727a4d306ae

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

TempEgchatinstaller.exeTempEgchat.exesystem.exe

pid process

580 TempEgchatinstaller.exe
784 TempEgchat.exe
2008 system.exe
Drops startup file 1 IoCs

Processes:

TempEgchat.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk TempEgchat.exe

pid	process
580	TempEgchatinstaller.exe
784	TempEgchat.exe
2008	system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk	TempEgchat.exe

Loads dropped DLL 2 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe

pid	process
1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exeTempEgchat.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Token: 33	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Token: SeIncBasePriorityPrivilege	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Token: SeDebugPrivilege	784	TempEgchat.exe
Token: 33	784	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	784	TempEgchat.exe
Token: 33	784	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	784	TempEgchat.exe
Token: 33	784	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	784	TempEgchat.exe
Token: SeDebugPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	784	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	784	TempEgchat.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe
Token: 33	2008	system.exe
Token: SeIncBasePriorityPrivilege	2008	system.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

TempEgchat.exe

pid process

784 TempEgchat.exe
784 TempEgchat.exe

pid	process
784	TempEgchat.exe
784	TempEgchat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exeTempEgchat.exe

description	pid	process	target process
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 580	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 1592 wrote to memory of 784	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchat.exe
PID 1592 wrote to memory of 784	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchat.exe
PID 1592 wrote to memory of 784	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchat.exe
PID 1592 wrote to memory of 784	1592	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchat.exe
PID 784 wrote to memory of 2008	784	TempEgchat.exe	system.exe
PID 784 wrote to memory of 2008	784	TempEgchat.exe	system.exe
PID 784 wrote to memory of 2008	784	TempEgchat.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
"C:\Users\Admin\AppData\Local\Temp\7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
"C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"
2⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\TempEgchat.exe
"C:\Users\Admin\AppData\Local\TempEgchat.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
49e3abb74f368861ee8932a9defb3c2f

SHA1
8d27296bd6ca161b5720c21dccd4704f07acdce2

SHA256
07d69dba565a84ea99a9c2616831f855fe253a4016d1bd55661d952e4a380b7b

SHA512
d2b571f1c67fd9875e5f45faf8846b15bab8bb1481070d617b9305011379cd5a51ca012efa093bf84ace84678297487d8d1a46bbf94117c5a7ce06afc3ec75d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
49e3abb74f368861ee8932a9defb3c2f

SHA1
8d27296bd6ca161b5720c21dccd4704f07acdce2

SHA256
07d69dba565a84ea99a9c2616831f855fe253a4016d1bd55661d952e4a380b7b

SHA512
d2b571f1c67fd9875e5f45faf8846b15bab8bb1481070d617b9305011379cd5a51ca012efa093bf84ace84678297487d8d1a46bbf94117c5a7ce06afc3ec75d2

Download Submit
memory/580-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/784-65-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-62-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-77-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-66-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-67-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-68-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-69-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-64-0x000007FEF2E00000-0x000007FEF3E96000-memory.dmp

Filesize
16.6MB

Download
memory/784-76-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-75-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/784-73-0x00000000002B0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/1592-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1592-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2008-72-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download
memory/2008-74-0x000007FEF2E00000-0x000007FEF3E96000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads