njrat | 90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563

General

Target

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe
Size

875KB
MD5

0a73ff03793f0b5beb7d2537933033ab
SHA1

9631cedd0844c8c7fb16373c27e0c9ffb7261f9a
SHA256

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563
SHA512

4131c9e9bbdd3618cdda5cf00b98f2d2254e63ce6a6d5bafda9bd6430e3c555e6361227bfe89072e83f46e0dd4c8d306b9337570800760bb612917c17517d703
SSDEEP

24576:h4lavt0LkLL9IMixoEgea+8zrcq9MmCS:wkwkn9IMHea+GQaPCS

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

7163.exetext.exe

pid process

3628 7163.exe
2032 text.exe

pid	process
3628	7163.exe
2032	text.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe7163.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	7163.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe7163.exe

description	pid	process	target process
PID 1852 wrote to memory of 3628	1852	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe	7163.exe
PID 1852 wrote to memory of 3628	1852	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe	7163.exe
PID 1852 wrote to memory of 3628	1852	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe	7163.exe
PID 3628 wrote to memory of 2032	3628	7163.exe	text.exe
PID 3628 wrote to memory of 2032	3628	7163.exe	text.exe
PID 3628 wrote to memory of 2032	3628	7163.exe	text.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe

C:\Users\Admin\AppData\Local\Temp\90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe
"C:\Users\Admin\AppData\Local\Temp\90879c6b4db8254f1e2ec94ec3ea453977a251c1789e91879a863504c2aaa563.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852

C:\Users\Admin\AppData\Local\Temp\7163\7163.exe
"C:\Users\Admin\AppData\Local\Temp\7163\7163.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Roaming\text.exe
"C:\Users\Admin\AppData\Roaming\text.exe"
3⤵
- Executes dropped EXE
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7163\7163.exe
Filesize
28KB

MD5
f2cb40517f296c958053e0d6752d6e66

SHA1
d90652c7f3501b898a902be6abec0b52e2abbeee

SHA256
2187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267

SHA512
7de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7163\7163.exe
Filesize
28KB

MD5
f2cb40517f296c958053e0d6752d6e66

SHA1
d90652c7f3501b898a902be6abec0b52e2abbeee

SHA256
2187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267

SHA512
7de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59

Download Submit
C:\Users\Admin\AppData\Roaming\text.exe
Filesize
28KB

MD5
f2cb40517f296c958053e0d6752d6e66

SHA1
d90652c7f3501b898a902be6abec0b52e2abbeee

SHA256
2187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267

SHA512
7de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59

Download Submit
C:\Users\Admin\AppData\Roaming\text.exe
Filesize
28KB

MD5
f2cb40517f296c958053e0d6752d6e66

SHA1
d90652c7f3501b898a902be6abec0b52e2abbeee

SHA256
2187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267

SHA512
7de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59

Download Submit
memory/2032-135-0x0000000000000000-mapping.dmp

Download
memory/2032-139-0x00000000734D0000-0x0000000073A81000-memory.dmp

Filesize
5.7MB

Download
memory/3628-132-0x0000000000000000-mapping.dmp

Download
memory/3628-138-0x00000000734D0000-0x0000000073A81000-memory.dmp

Filesize
5.7MB

Download
memory/3628-140-0x00000000734D0000-0x0000000073A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads