njrat | b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

General

Target

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe
Size

159KB
MD5

e2a7be7788bbe77180c5ca2a6c308530
SHA1

f682ac9bbb49e8e5e3b50bcdda276f7d219f3126
SHA256

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474
SHA512

f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

svchostlime.exesvchostlime.exesvchostlime.exe

pid process

920 svchostlime.exe
1956 svchostlime.exe
648 svchostlime.exe
Loads dropped DLL 1 IoCs

Processes:

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe

pid process

2024 b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1336 schtasks.exe
1660 schtasks.exe
1416 schtasks.exe
848 schtasks.exe

pid	process
920	svchostlime.exe
1956	svchostlime.exe
648	svchostlime.exe

pid	process
2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe

pid	process
1336	schtasks.exe
1660	schtasks.exe
1416	schtasks.exe
848	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

svchostlime.exe

description	pid	process
Token: SeDebugPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe
Token: 33	920	svchostlime.exe
Token: SeIncBasePriorityPrivilege	920	svchostlime.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exesvchostlime.exetaskeng.exesvchostlime.exesvchostlime.exe

description	pid	process	target process
PID 2024 wrote to memory of 1404	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1404	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1404	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1404	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1416	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1416	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1416	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 1416	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 2024 wrote to memory of 920	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 2024 wrote to memory of 920	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 2024 wrote to memory of 920	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 2024 wrote to memory of 920	2024	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 920 wrote to memory of 1120	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 1120	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 1120	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 1120	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 848	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 848	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 848	920	svchostlime.exe	schtasks.exe
PID 920 wrote to memory of 848	920	svchostlime.exe	schtasks.exe
PID 1548 wrote to memory of 1956	1548	taskeng.exe	svchostlime.exe
PID 1548 wrote to memory of 1956	1548	taskeng.exe	svchostlime.exe
PID 1548 wrote to memory of 1956	1548	taskeng.exe	svchostlime.exe
PID 1548 wrote to memory of 1956	1548	taskeng.exe	svchostlime.exe
PID 1956 wrote to memory of 1332	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1332	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1332	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1332	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1336	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1336	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1336	1956	svchostlime.exe	schtasks.exe
PID 1956 wrote to memory of 1336	1956	svchostlime.exe	schtasks.exe
PID 1548 wrote to memory of 648	1548	taskeng.exe	svchostlime.exe
PID 1548 wrote to memory of 648	1548	taskeng.exe	svchostlime.exe
PID 1548 wrote to memory of 648	1548	taskeng.exe	svchostlime.exe
PID 1548 wrote to memory of 648	1548	taskeng.exe	svchostlime.exe
PID 648 wrote to memory of 1384	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1384	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1384	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1384	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1660	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1660	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1660	648	svchostlime.exe	schtasks.exe
PID 648 wrote to memory of 1660	648	svchostlime.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe
"C:\Users\Admin\AppData\Local\Temp\b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1416

C:\Users\Admin\AppData\Roaming\svchostlime.exe
"C:\Users\Admin\AppData\Roaming\svchostlime.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\svchostlime.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:848

C:\Windows\system32\taskeng.exe
taskeng.exe {67FA9781-D9CE-4AC6-BC58-01C08488DE16} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\svchostlime.exe
C:\Users\Admin\AppData\Roaming\svchostlime.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1332

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\svchostlime.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1336

C:\Users\Admin\AppData\Roaming\svchostlime.exe
C:\Users\Admin\AppData\Roaming\svchostlime.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\svchostlime.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
memory/648-82-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/648-79-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/648-76-0x0000000000000000-mapping.dmp

Download
memory/848-67-0x0000000000000000-mapping.dmp

Download
memory/920-60-0x0000000000000000-mapping.dmp

Download
memory/920-68-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/920-65-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-66-0x0000000000000000-mapping.dmp

Download
memory/1332-73-0x0000000000000000-mapping.dmp

Download
memory/1336-74-0x0000000000000000-mapping.dmp

Download
memory/1384-80-0x0000000000000000-mapping.dmp

Download
memory/1404-57-0x0000000000000000-mapping.dmp

Download
memory/1416-58-0x0000000000000000-mapping.dmp

Download
memory/1660-81-0x0000000000000000-mapping.dmp

Download
memory/1956-69-0x0000000000000000-mapping.dmp

Download
memory/1956-75-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-72-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-56-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-54-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download
memory/2024-64-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads