njrat | 7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62

General

Target

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Size

286KB
MD5

f72d15d6b4acf8078292d53c1dd3755a
SHA1

3fd52da27e28b5e3d09743c09a72b58689508288
SHA256

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62
SHA512

9ab7f0a1db7ab35d8d936a5ab1c8398c9350a2f9eadc76c7e88834b0e9488ebff9da3fb008a0c591eaa23faed6c04e9ad325c795164f35b4abb4f20219686a6a
SSDEEP

6144:B0Ejt/wbJlcp8J0Ya1AUM1VrtNjVsF9cMSVv5gRd6:BLtWeg051BM1NtrswMSB5y

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3416 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

224 netsh.exe

pid	process
3416	server.exe

pid	process
224	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe

Drops file in Windows directory 3 IoCs

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
File opened for modification	C:\Windows\assembly	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	5036	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Token: 33	5036	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Token: SeIncBasePriorityPrivilege	5036	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
Token: SeDebugPrivilege	3416	server.exe
Token: 33	3416	server.exe
Token: SeIncBasePriorityPrivilege	3416	server.exe
Token: 33	3416	server.exe
Token: SeIncBasePriorityPrivilege	3416	server.exe
Token: 33	3416	server.exe
Token: SeIncBasePriorityPrivilege	3416	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exeserver.exe

description	pid	process	target process
PID 5036 wrote to memory of 3416	5036	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe	server.exe
PID 5036 wrote to memory of 3416	5036	7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe	server.exe
PID 3416 wrote to memory of 224	3416	server.exe	netsh.exe
PID 3416 wrote to memory of 224	3416	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe
"C:\Users\Admin\AppData\Local\Temp\7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
286KB

MD5
f72d15d6b4acf8078292d53c1dd3755a

SHA1
3fd52da27e28b5e3d09743c09a72b58689508288

SHA256
7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62

SHA512
9ab7f0a1db7ab35d8d936a5ab1c8398c9350a2f9eadc76c7e88834b0e9488ebff9da3fb008a0c591eaa23faed6c04e9ad325c795164f35b4abb4f20219686a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
286KB

MD5
f72d15d6b4acf8078292d53c1dd3755a

SHA1
3fd52da27e28b5e3d09743c09a72b58689508288

SHA256
7d4f89ad362779ceab3e79784c90b22346b1f053451aa65e53bcf754b1395b62

SHA512
9ab7f0a1db7ab35d8d936a5ab1c8398c9350a2f9eadc76c7e88834b0e9488ebff9da3fb008a0c591eaa23faed6c04e9ad325c795164f35b4abb4f20219686a6a

Download Submit
memory/224-141-0x0000000000000000-mapping.dmp

Download
memory/3416-135-0x0000000000000000-mapping.dmp

Download
memory/3416-138-0x00007FFF79F80000-0x00007FFF7A9B6000-memory.dmp

Filesize
10.2MB

Download
memory/3416-140-0x0000000000AC7000-0x0000000000ACC000-memory.dmp

Filesize
20KB

Download
memory/3416-142-0x000000001BEA0000-0x000000001BFA0000-memory.dmp

Filesize
1024KB

Download
memory/3416-143-0x000000001BEA0000-0x000000001BFA0000-memory.dmp

Filesize
1024KB

Download
memory/5036-132-0x00007FFF79F80000-0x00007FFF7A9B6000-memory.dmp

Filesize
10.2MB

Download
memory/5036-133-0x0000000001457000-0x000000000145C000-memory.dmp

Filesize
20KB

Download
memory/5036-134-0x0000000001457000-0x000000000145C000-memory.dmp

Filesize
20KB

Download
memory/5036-139-0x0000000001457000-0x000000000145C000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads