njrat | 4c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05

General

Target

HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe
Size

275KB
MD5

23fa40a66b8c641f8324c2b659c341be
SHA1

8eeea57eb2af7bb571f023b29d59202e97eaab59
SHA256

4c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05
SHA512

ad47eb6357936125ebb8d10a1dea5c42357178fc0e7243adf50a4a9677fb78ca49912fae43d0a0f86cdc0c1215a43dd60f194f7ebcd5cea9ad438d8f5f8eea58
SSDEEP

3072:UYH88y9uczJx44Dolo4fFSpTjP17qWyW3zbx2vyE7S1M2Q:Ply9uczJxRDolZgV1dnbkORQ

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3768 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1932 netsh.exe

pid	process
3768	server.exe

pid	process
1932	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2806cdb1ef67986308064d5873a67ad7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2806cdb1ef67986308064d5873a67ad7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe
Token: 33	3768	server.exe
Token: SeIncBasePriorityPrivilege	3768	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exeserver.exe

description	pid	process	target process
PID 4340 wrote to memory of 3768	4340	HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe	server.exe
PID 4340 wrote to memory of 3768	4340	HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe	server.exe
PID 3768 wrote to memory of 1932	3768	server.exe	netsh.exe
PID 3768 wrote to memory of 1932	3768	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
275KB

MD5
23fa40a66b8c641f8324c2b659c341be

SHA1
8eeea57eb2af7bb571f023b29d59202e97eaab59

SHA256
4c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05

SHA512
ad47eb6357936125ebb8d10a1dea5c42357178fc0e7243adf50a4a9677fb78ca49912fae43d0a0f86cdc0c1215a43dd60f194f7ebcd5cea9ad438d8f5f8eea58

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
275KB

MD5
23fa40a66b8c641f8324c2b659c341be

SHA1
8eeea57eb2af7bb571f023b29d59202e97eaab59

SHA256
4c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05

SHA512
ad47eb6357936125ebb8d10a1dea5c42357178fc0e7243adf50a4a9677fb78ca49912fae43d0a0f86cdc0c1215a43dd60f194f7ebcd5cea9ad438d8f5f8eea58

Download Submit
memory/1932-139-0x0000000000000000-mapping.dmp

Download
memory/3768-134-0x0000000000000000-mapping.dmp

Download
memory/3768-138-0x00007FF948800000-0x00007FF9492C1000-memory.dmp

Filesize
10.8MB

Download
memory/3768-140-0x00007FF948800000-0x00007FF9492C1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-132-0x0000000000B10000-0x0000000000B52000-memory.dmp

Filesize
264KB

Download
memory/4340-133-0x00007FF948800000-0x00007FF9492C1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-137-0x00007FF948800000-0x00007FF9492C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads