njrat | a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2

General

Target

a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe
Size

73KB
MD5

937d6b61bfe4f09948d8ce1d0961b370
SHA1

07982df512eb4d9f3bf6271937ccdf4e38191504
SHA256

a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2
SHA512

d1b0c147125eb67bd655d33f4bae2374508931ca5c5285ff24213161cea9e78cee954119d4c48cfad0d2b1d8196d561dd6aa517fb7623e90cf383ee724a9cb99
SSDEEP

1536:ic/PVhN96lPoNfXTuCWOyll1mwkeiN0xyUGTX:Z9hNsPoNfbWOJwk30EF

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1676	google.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1708	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\e308948484eef5c3e20e6dc71c84a131 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .."	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e308948484eef5c3e20e6dc71c84a131 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .."	google.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe
Token: 33	1676	google.exe
Token: SeIncBasePriorityPrivilege	1676	google.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1676	1972	a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe	27
PID 1972 wrote to memory of 1676	1972	a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe	27
PID 1972 wrote to memory of 1676	1972	a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe	27
PID 1972 wrote to memory of 1676	1972	a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe	27
PID 1676 wrote to memory of 1708	1676	google.exe	28
PID 1676 wrote to memory of 1708	1676	google.exe	28
PID 1676 wrote to memory of 1708	1676	google.exe	28
PID 1676 wrote to memory of 1708	1676	google.exe	28

C:\Users\Admin\AppData\Local\Temp\a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe
"C:\Users\Admin\AppData\Local\Temp\a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\google.exe
  "C:\Users\Admin\AppData\Local\Temp\google.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\google.exe" "google.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\google.exe

Filesize
73KB

MD5
937d6b61bfe4f09948d8ce1d0961b370

SHA1
07982df512eb4d9f3bf6271937ccdf4e38191504

SHA256
a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2

SHA512
d1b0c147125eb67bd655d33f4bae2374508931ca5c5285ff24213161cea9e78cee954119d4c48cfad0d2b1d8196d561dd6aa517fb7623e90cf383ee724a9cb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe

Filesize
73KB

MD5
937d6b61bfe4f09948d8ce1d0961b370

SHA1
07982df512eb4d9f3bf6271937ccdf4e38191504

SHA256
a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2

SHA512
d1b0c147125eb67bd655d33f4bae2374508931ca5c5285ff24213161cea9e78cee954119d4c48cfad0d2b1d8196d561dd6aa517fb7623e90cf383ee724a9cb99

Download Submit
\Users\Admin\AppData\Local\Temp\google.exe

Filesize
73KB

MD5
937d6b61bfe4f09948d8ce1d0961b370

SHA1
07982df512eb4d9f3bf6271937ccdf4e38191504

SHA256
a249adf01392e2d1fca0f26fa516eae841ffd456ef7da7a4ef144ab2635413b2

SHA512
d1b0c147125eb67bd655d33f4bae2374508931ca5c5285ff24213161cea9e78cee954119d4c48cfad0d2b1d8196d561dd6aa517fb7623e90cf383ee724a9cb99

Download Submit
memory/1676-62-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-65-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-61-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing