njrat | b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

General

Target

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe
Size

159KB
MD5

e2a7be7788bbe77180c5ca2a6c308530
SHA1

f682ac9bbb49e8e5e3b50bcdda276f7d219f3126
SHA256

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474
SHA512

f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

svchostlime.exesvchostlime.exe

pid process

4528 svchostlime.exe
1252 svchostlime.exe

pid	process
4528	svchostlime.exe
1252	svchostlime.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1728 schtasks.exe
1220 schtasks.exe
1460 schtasks.exe

pid	process
1728	schtasks.exe
1220	schtasks.exe
1460	schtasks.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchostlime.exe

description	pid	process
Token: SeDebugPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe
Token: 33	4528	svchostlime.exe
Token: SeIncBasePriorityPrivilege	4528	svchostlime.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exesvchostlime.exesvchostlime.exe

description	pid	process	target process
PID 3492 wrote to memory of 2020	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 3492 wrote to memory of 2020	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 3492 wrote to memory of 2020	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 3492 wrote to memory of 1728	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 3492 wrote to memory of 1728	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 3492 wrote to memory of 1728	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	schtasks.exe
PID 3492 wrote to memory of 4528	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 3492 wrote to memory of 4528	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 3492 wrote to memory of 4528	3492	b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe	svchostlime.exe
PID 4528 wrote to memory of 1060	4528	svchostlime.exe	schtasks.exe
PID 4528 wrote to memory of 1060	4528	svchostlime.exe	schtasks.exe
PID 4528 wrote to memory of 1060	4528	svchostlime.exe	schtasks.exe
PID 4528 wrote to memory of 1220	4528	svchostlime.exe	schtasks.exe
PID 4528 wrote to memory of 1220	4528	svchostlime.exe	schtasks.exe
PID 4528 wrote to memory of 1220	4528	svchostlime.exe	schtasks.exe
PID 1252 wrote to memory of 1164	1252	svchostlime.exe	schtasks.exe
PID 1252 wrote to memory of 1164	1252	svchostlime.exe	schtasks.exe
PID 1252 wrote to memory of 1164	1252	svchostlime.exe	schtasks.exe
PID 1252 wrote to memory of 1460	1252	svchostlime.exe	schtasks.exe
PID 1252 wrote to memory of 1460	1252	svchostlime.exe	schtasks.exe
PID 1252 wrote to memory of 1460	1252	svchostlime.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe
"C:\Users\Admin\AppData\Local\Temp\b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1728

C:\Users\Admin\AppData\Roaming\svchostlime.exe
"C:\Users\Admin\AppData\Roaming\svchostlime.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\svchostlime.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1220

C:\Users\Admin\AppData\Roaming\svchostlime.exe
C:\Users\Admin\AppData\Roaming\svchostlime.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\svchostlime.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
C:\Users\Admin\AppData\Roaming\svchostlime.exe
Filesize
159KB

MD5
e2a7be7788bbe77180c5ca2a6c308530

SHA1
f682ac9bbb49e8e5e3b50bcdda276f7d219f3126

SHA256
b73fb41a78d5f93cc9baca9da7528f7e31772810832a1e062ac65da09ca44474

SHA512
f43325201ffced9e18132b92df6a22b70516355aa49c6e7ee4b1826ed17dc4e0bd47d5b49b253fed7bdd71a90ea1b8744ffc2dd5e7f455ac2a45e93e28d60308

Download Submit
memory/1060-139-0x0000000000000000-mapping.dmp

Download
memory/1164-144-0x0000000000000000-mapping.dmp

Download
memory/1220-140-0x0000000000000000-mapping.dmp

Download
memory/1252-143-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1252-146-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1460-145-0x0000000000000000-mapping.dmp

Download
memory/1728-133-0x0000000000000000-mapping.dmp

Download
memory/2020-132-0x0000000000000000-mapping.dmp

Download
memory/3492-131-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3492-130-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3492-137-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4528-141-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4528-138-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4528-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads