njrat | 2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60

General

Target

2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe
Size

41KB
MD5

6174b0640d9954f49f4e1752575073d0
SHA1

9d906ca323f0ceed91c348ee1e815faaa15f3d81
SHA256

2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60
SHA512

8d6821e6453ea2c9fc028b637782e385b78c0b3af99c37aa2f13c6eb6a1bffc160d75ff5b3f6dd7a4a308f045af46e07ce749301dc6efcf9ddb7df01f99158b7
SSDEEP

768:jXxdX64kYewwUtH1IVOYgLdBLXTijktmbGBHEqNCzhoLN8ax:/4YCeIVOYg7Kg0iBHEq4iyU

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

4548 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5068 netsh.exe

pid	process
4548	server.exe

pid	process
5068	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe
Token: 33	4548	server.exe
Token: SeIncBasePriorityPrivilege	4548	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exeserver.exe

description	pid	process	target process
PID 4924 wrote to memory of 4548	4924	2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe	server.exe
PID 4924 wrote to memory of 4548	4924	2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe	server.exe
PID 4548 wrote to memory of 5068	4548	server.exe	netsh.exe
PID 4548 wrote to memory of 5068	4548	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe
"C:\Users\Admin\AppData\Local\Temp\2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
41KB

MD5
6174b0640d9954f49f4e1752575073d0

SHA1
9d906ca323f0ceed91c348ee1e815faaa15f3d81

SHA256
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60

SHA512
8d6821e6453ea2c9fc028b637782e385b78c0b3af99c37aa2f13c6eb6a1bffc160d75ff5b3f6dd7a4a308f045af46e07ce749301dc6efcf9ddb7df01f99158b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
41KB

MD5
6174b0640d9954f49f4e1752575073d0

SHA1
9d906ca323f0ceed91c348ee1e815faaa15f3d81

SHA256
2ceffe5d0a3e81b724c80484791364a1bd676a72ae1bbc4edebaed04dccdbb60

SHA512
8d6821e6453ea2c9fc028b637782e385b78c0b3af99c37aa2f13c6eb6a1bffc160d75ff5b3f6dd7a4a308f045af46e07ce749301dc6efcf9ddb7df01f99158b7

Download Submit
memory/4548-134-0x0000000000000000-mapping.dmp

Download
memory/4548-138-0x00007FF8EC800000-0x00007FF8ED2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4548-140-0x00007FF8EC800000-0x00007FF8ED2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-132-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4924-133-0x00007FF8EC800000-0x00007FF8ED2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-137-0x00007FF8EC800000-0x00007FF8ED2C1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads