njrat | 962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e

General

Target

962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
Size

389KB
MD5

d273c19060deb3a5ae75a440955a8522
SHA1

605d95c1eaa7e2e439c154075f96cc4d34d0d082
SHA256

962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e
SHA512

3371db70647a629ee8f8bf5eb466bcf6f1a8d3fe21e567c614b8b96029b9d1766ca0790d9dfc3e85cf2b81ad2c089f7c0516913183edc7a9f8c0a1b32edf9a24

Score

10^/10

njrat agilenet persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

DefenderUpdateAnalyse.exeDefenderUpdateAnalyse.exe

pid process

544 DefenderUpdateAnalyse.exe
1348 DefenderUpdateAnalyse.exe

pid	process
544	DefenderUpdateAnalyse.exe
1348	DefenderUpdateAnalyse.exe

Drops startup file 2 IoCs

Processes:

DefenderUpdateAnalyse.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe

Loads dropped DLL 2 IoCs

Processes:

962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exeDefenderUpdateAnalyse.exe

pid process

1820 962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
544 DefenderUpdateAnalyse.exe

pid	process
1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
544	DefenderUpdateAnalyse.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2044-59-0x0000000000230000-0x000000000023A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DefenderUpdateAnalyse.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefenderUpdateAnalyse.exe = "\"C:\\ProgramData\\DefenderUpdateAnalyse.exe\" .."	DefenderUpdateAnalyse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DefenderUpdateAnalyse.exe = "\"C:\\ProgramData\\DefenderUpdateAnalyse.exe\" .."	DefenderUpdateAnalyse.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exeDefenderUpdateAnalyse.exe

description	pid	process	target process
PID 2044 set thread context of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 544 set thread context of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exeDefenderUpdateAnalyse.exeDefenderUpdateAnalyse.exe

description	pid	process
Token: SeDebugPrivilege	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
Token: 33	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
Token: SeIncBasePriorityPrivilege	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
Token: SeDebugPrivilege	544	DefenderUpdateAnalyse.exe
Token: 33	544	DefenderUpdateAnalyse.exe
Token: SeIncBasePriorityPrivilege	544	DefenderUpdateAnalyse.exe
Token: SeDebugPrivilege	1348	DefenderUpdateAnalyse.exe
Token: 33	1348	DefenderUpdateAnalyse.exe
Token: SeIncBasePriorityPrivilege	1348	DefenderUpdateAnalyse.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exeDefenderUpdateAnalyse.exe

description	pid	process	target process
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 2044 wrote to memory of 1820	2044	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 1820 wrote to memory of 544	1820	962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe
PID 544 wrote to memory of 1348	544	DefenderUpdateAnalyse.exe	DefenderUpdateAnalyse.exe

C:\Users\Admin\AppData\Local\Temp\962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
"C:\Users\Admin\AppData\Local\Temp\962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe
"C:\Users\Admin\AppData\Local\Temp\962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\ProgramData\DefenderUpdateAnalyse.exe
"C:\ProgramData\DefenderUpdateAnalyse.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\ProgramData\DefenderUpdateAnalyse.exe
"C:\ProgramData\DefenderUpdateAnalyse.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DefenderUpdateAnalyse.exe
Filesize
389KB

MD5
d273c19060deb3a5ae75a440955a8522

SHA1
605d95c1eaa7e2e439c154075f96cc4d34d0d082

SHA256
962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e

SHA512
3371db70647a629ee8f8bf5eb466bcf6f1a8d3fe21e567c614b8b96029b9d1766ca0790d9dfc3e85cf2b81ad2c089f7c0516913183edc7a9f8c0a1b32edf9a24

Download Submit
C:\ProgramData\DefenderUpdateAnalyse.exe
Filesize
389KB

MD5
d273c19060deb3a5ae75a440955a8522

SHA1
605d95c1eaa7e2e439c154075f96cc4d34d0d082

SHA256
962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e

SHA512
3371db70647a629ee8f8bf5eb466bcf6f1a8d3fe21e567c614b8b96029b9d1766ca0790d9dfc3e85cf2b81ad2c089f7c0516913183edc7a9f8c0a1b32edf9a24

Download Submit
C:\ProgramData\DefenderUpdateAnalyse.exe
Filesize
389KB

MD5
d273c19060deb3a5ae75a440955a8522

SHA1
605d95c1eaa7e2e439c154075f96cc4d34d0d082

SHA256
962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e

SHA512
3371db70647a629ee8f8bf5eb466bcf6f1a8d3fe21e567c614b8b96029b9d1766ca0790d9dfc3e85cf2b81ad2c089f7c0516913183edc7a9f8c0a1b32edf9a24

Download Submit
\ProgramData\DefenderUpdateAnalyse.exe
Filesize
389KB

MD5
d273c19060deb3a5ae75a440955a8522

SHA1
605d95c1eaa7e2e439c154075f96cc4d34d0d082

SHA256
962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e

SHA512
3371db70647a629ee8f8bf5eb466bcf6f1a8d3fe21e567c614b8b96029b9d1766ca0790d9dfc3e85cf2b81ad2c089f7c0516913183edc7a9f8c0a1b32edf9a24

Download Submit
\ProgramData\DefenderUpdateAnalyse.exe
Filesize
389KB

MD5
d273c19060deb3a5ae75a440955a8522

SHA1
605d95c1eaa7e2e439c154075f96cc4d34d0d082

SHA256
962581f03da790ea95f491ef6e35ee153e9dd6d0eb747ea4c87751055bfa2d7e

SHA512
3371db70647a629ee8f8bf5eb466bcf6f1a8d3fe21e567c614b8b96029b9d1766ca0790d9dfc3e85cf2b81ad2c089f7c0516913183edc7a9f8c0a1b32edf9a24

Download Submit
memory/544-355-0x0000000000320000-0x000000000038C000-memory.dmp

Filesize
432KB

Download
memory/544-352-0x0000000000000000-mapping.dmp

Download
memory/1348-364-0x000000000042A5DE-mapping.dmp

Download
memory/1820-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-99-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-67-0x000000000042A5DE-mapping.dmp

Download
memory/1820-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-73-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-81-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-85-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-89-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-91-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-97-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-93-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-101-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-103-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-109-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-111-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-113-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-117-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-115-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-123-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-61-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2044-54-0x0000000000F90000-0x0000000000FFC000-memory.dmp

Filesize
432KB

Download
memory/2044-59-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/2044-58-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2044-57-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2044-56-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download
memory/2044-55-0x0000000000690000-0x00000000006C6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads