njrat | 442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb

General

Target

442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb.exe
Size

163KB
MD5

1bb3a15bc1792ea6c8af97d449ed0c79
SHA1

d60dbc9a663b0c8ce2baa8f7e65bdcf94e09718e
SHA256

442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb
SHA512

41791476348a5c8095e293d86ef174126101d2ad8fc0c7f80ed8d67eb4997a30fbc54327224f1572ebcd39bd1ef8c739b5c0ae35a9fed72f2254d6f25ce9d315

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svshost.exe

pid process

3296 svshost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3296	svshost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svshost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\31e55e6e61dc932a780ed54414817c19 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svshost.exe\" .."	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31e55e6e61dc932a780ed54414817c19 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svshost.exe\" .."	svshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

svshost.exe

description	pid	process
Token: SeDebugPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe
Token: 33	3296	svshost.exe
Token: SeIncBasePriorityPrivilege	3296	svshost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb.exesvshost.exe

description	pid	process	target process
PID 2828 wrote to memory of 3296	2828	442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb.exe	svshost.exe
PID 2828 wrote to memory of 3296	2828	442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb.exe	svshost.exe
PID 3296 wrote to memory of 1872	3296	svshost.exe	netsh.exe
PID 3296 wrote to memory of 1872	3296	svshost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb.exe
"C:\Users\Admin\AppData\Local\Temp\442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\svshost.exe
  "C:\Users\Admin\AppData\Roaming\svshost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svshost.exe" "svshost.exe" ENABLE
    3⤵
    PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svshost.exe

MD5
1bb3a15bc1792ea6c8af97d449ed0c79

SHA1
d60dbc9a663b0c8ce2baa8f7e65bdcf94e09718e

SHA256
442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb

SHA512
41791476348a5c8095e293d86ef174126101d2ad8fc0c7f80ed8d67eb4997a30fbc54327224f1572ebcd39bd1ef8c739b5c0ae35a9fed72f2254d6f25ce9d315

Download Submit
C:\Users\Admin\AppData\Roaming\svshost.exe

MD5
1bb3a15bc1792ea6c8af97d449ed0c79

SHA1
d60dbc9a663b0c8ce2baa8f7e65bdcf94e09718e

SHA256
442c39a249ad383a205d0f9d8c556f6fe5f7bb1413e5c3f5617a1596b1510dcb

SHA512
41791476348a5c8095e293d86ef174126101d2ad8fc0c7f80ed8d67eb4997a30fbc54327224f1572ebcd39bd1ef8c739b5c0ae35a9fed72f2254d6f25ce9d315

Download Submit
memory/2828-119-0x0000000001090000-0x0000000001092000-memory.dmp

Filesize
8KB

Download
memory/2828-121-0x0000000001092000-0x0000000001094000-memory.dmp

Filesize
8KB

Download
memory/2828-122-0x0000000001094000-0x0000000001095000-memory.dmp

Filesize
4KB

Download
memory/3296-125-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/3296-127-0x0000000000FF2000-0x0000000000FF4000-memory.dmp

Filesize
8KB

Download
memory/3296-128-0x0000000000FF4000-0x0000000000FF5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads