njrat | b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786

General

Target

b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe
Size

29KB
MD5

a99137353ba10ea6308a00dbf9010dd1
SHA1

7ed1334e8c33518e941ae230e0ed2cb1c94b4b53
SHA256

b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786
SHA512

563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855

Score

10^/10

njrat person evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Person

C2

127.0.0.1:456

Mutex

dae31c02cb06222e776b9ccb9207edb1

Attributes

reg_key
dae31c02cb06222e776b9ccb9207edb1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

520 system.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe

pid process

1540 b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe

pid	process
1540	b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .."	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

system.exe

pid	process
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe
520	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 520 system.exe

description	pid	process
Token: SeDebugPrivilege	520	system.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exesystem.exe

description	pid	process	target process
PID 1540 wrote to memory of 520	1540	b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe	system.exe
PID 1540 wrote to memory of 520	1540	b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe	system.exe
PID 1540 wrote to memory of 520	1540	b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe	system.exe
PID 1540 wrote to memory of 520	1540	b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe	system.exe
PID 520 wrote to memory of 872	520	system.exe	netsh.exe
PID 520 wrote to memory of 872	520	system.exe	netsh.exe
PID 520 wrote to memory of 872	520	system.exe	netsh.exe
PID 520 wrote to memory of 872	520	system.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe
"C:\Users\Admin\AppData\Local\Temp\b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system.exe" "system.exe" ENABLE
3⤵
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system.exe
MD5
a99137353ba10ea6308a00dbf9010dd1

SHA1
7ed1334e8c33518e941ae230e0ed2cb1c94b4b53

SHA256
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786

SHA512
563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe
MD5
a99137353ba10ea6308a00dbf9010dd1

SHA1
7ed1334e8c33518e941ae230e0ed2cb1c94b4b53

SHA256
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786

SHA512
563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855

Download Submit
\Users\Admin\AppData\Roaming\system.exe
MD5
a99137353ba10ea6308a00dbf9010dd1

SHA1
7ed1334e8c33518e941ae230e0ed2cb1c94b4b53

SHA256
b1124ee47ce6a5bb4750b45d1d93f0c740ebda59fca7f1ee5b3d17ea2613d786

SHA512
563b320037609b4629bf5e584860e0a1f44c78c4696cd5befd2ba3985a672f6fa140302457c77c360439052f254000e7baabd0c7079204806fba0ebe067d7855

Download Submit
memory/520-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/520-62-0x00000000002A5000-0x00000000002B6000-memory.dmp

Filesize
68KB

Download
memory/1540-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1540-55-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads