njrat | 7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74

General

Target

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Size

1.8MB
MD5

ce0f944b84b823e1267175d6b4f5cdbd
SHA1

d20e4bd150dd042620c288f856ac26743239e3fd
SHA256

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74
SHA512

9320426b1f43b46675bc4255bc8615aca4f11a5d159991734b37ddecc2f0e8c79fe9f4a958961f4d1dea09177cb8886b3cbf9fd82a637b4467959727a4d306ae

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

TempEgchatinstaller.exeTempEgchat.exesystem.exe

pid process

3884 TempEgchatinstaller.exe
3712 TempEgchat.exe
1576 system.exe
Drops startup file 1 IoCs

Processes:

TempEgchat.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk TempEgchat.exe

pid	process
3884	TempEgchatinstaller.exe
3712	TempEgchat.exe
1576	system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk	TempEgchat.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe

Drops file in Windows directory 3 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
File created	C:\Windows\assembly\Desktop.ini	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exeTempEgchat.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Token: 33	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Token: SeIncBasePriorityPrivilege	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
Token: SeDebugPrivilege	3712	TempEgchat.exe
Token: 33	3712	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	3712	TempEgchat.exe
Token: 33	3712	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	3712	TempEgchat.exe
Token: 33	3712	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	3712	TempEgchat.exe
Token: 33	3712	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	3712	TempEgchat.exe
Token: SeDebugPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe
Token: 33	1576	system.exe
Token: SeIncBasePriorityPrivilege	1576	system.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

TempEgchat.exe

pid process

3712 TempEgchat.exe
3712 TempEgchat.exe

pid	process
3712	TempEgchat.exe
3712	TempEgchat.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exeTempEgchat.exe

description	pid	process	target process
PID 2632 wrote to memory of 3884	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 2632 wrote to memory of 3884	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 2632 wrote to memory of 3884	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchatinstaller.exe
PID 2632 wrote to memory of 3712	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchat.exe
PID 2632 wrote to memory of 3712	2632	7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe	TempEgchat.exe
PID 3712 wrote to memory of 1576	3712	TempEgchat.exe	system.exe
PID 3712 wrote to memory of 1576	3712	TempEgchat.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe
"C:\Users\Admin\AppData\Local\Temp\7265329c7d297c83cd51f0aeef53fc6936edfad2fdf18389d2f52b23ea2bac74.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
"C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"
2⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\AppData\Local\TempEgchat.exe
"C:\Users\Admin\AppData\Local\TempEgchat.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
49e3abb74f368861ee8932a9defb3c2f

SHA1
8d27296bd6ca161b5720c21dccd4704f07acdce2

SHA256
07d69dba565a84ea99a9c2616831f855fe253a4016d1bd55661d952e4a380b7b

SHA512
d2b571f1c67fd9875e5f45faf8846b15bab8bb1481070d617b9305011379cd5a51ca012efa093bf84ace84678297487d8d1a46bbf94117c5a7ce06afc3ec75d2

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
49e3abb74f368861ee8932a9defb3c2f

SHA1
8d27296bd6ca161b5720c21dccd4704f07acdce2

SHA256
07d69dba565a84ea99a9c2616831f855fe253a4016d1bd55661d952e4a380b7b

SHA512
d2b571f1c67fd9875e5f45faf8846b15bab8bb1481070d617b9305011379cd5a51ca012efa093bf84ace84678297487d8d1a46bbf94117c5a7ce06afc3ec75d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
memory/1576-130-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/2632-119-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3712-131-0x000000001FE52000-0x000000001FE54000-memory.dmp

Filesize
8KB

Download
memory/3712-123-0x0000000002692000-0x0000000002694000-memory.dmp

Filesize
8KB

Download
memory/3712-126-0x0000000002696000-0x0000000002698000-memory.dmp

Filesize
8KB

Download
memory/3712-127-0x0000000002698000-0x000000000269A000-memory.dmp

Filesize
8KB

Download
memory/3712-125-0x0000000002695000-0x0000000002696000-memory.dmp

Filesize
4KB

Download
memory/3712-124-0x0000000002694000-0x0000000002695000-memory.dmp

Filesize
4KB

Download
memory/3712-121-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/3712-132-0x000000000269A000-0x000000000269F000-memory.dmp

Filesize
20KB

Download
memory/3712-133-0x000000001FE56000-0x000000001FE57000-memory.dmp

Filesize
4KB

Download
memory/3712-134-0x000000001FE57000-0x000000001FE58000-memory.dmp

Filesize
4KB

Download
memory/3712-136-0x000000001FE58000-0x000000001FE59000-memory.dmp

Filesize
4KB

Download
memory/3712-135-0x000000001FE50000-0x000000001FE52000-memory.dmp

Filesize
8KB

Download
memory/3884-120-0x0000000000830000-0x000000000097A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads