njrat | b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480

General

Target

b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Size

31KB
MD5

1d4541fe04c3095df787b2814468077a
SHA1

885dc8dca0b1ceccb249a4980843a4b1875d1911
SHA256

b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480
SHA512

af0f8b2ebd66c9aef7856180d39afab8a70167e3859fcc401156964da72c0940440cbc6aa9677b3163a094a384ff0654e3244d859758564476eedae14c447e73

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\507778397b58d5082d538f5147cf0e72.exe	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\507778397b58d5082d538f5147cf0e72.exe	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\507778397b58d5082d538f5147cf0e72 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe\" .."	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\507778397b58d5082d538f5147cf0e72 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe\" .."	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

description	pid	process
Token: SeDebugPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: 33	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
Token: SeIncBasePriorityPrivilege	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe

description	pid	process	target process
PID 4132 wrote to memory of 1988	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe	netsh.exe
PID 4132 wrote to memory of 1988	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe	netsh.exe
PID 4132 wrote to memory of 1988	4132	b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe" "b9b5b3a7b54a8371ea07caf36d9ee8ee2f550b93f7824ab81e3561dbb3b2a480.exe" ENABLE
  2⤵
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-131-0x0000000000000000-mapping.dmp

Download
memory/4132-130-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads