njrat | 87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7

General

Target

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Size

329KB
MD5

288a4b7588e9a76eb5c5ebfeda862246
SHA1

978f19856a3498c4bf47a39698d90c3e4d2baa4c
SHA256

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7
SHA512

86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94
SSDEEP

6144:3xTM7GKkAvRgt5fD2ywM9r6o/AT59zMXd:NBYyfD2A9mS859YXd

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

2500 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2788 netsh.exe

pid	process
2500	server.exe

pid	process
2788	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87173d0078b7305a3dec8884347c9601 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87173d0078b7305a3dec8884347c9601 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe

Drops file in Windows directory 3 IoCs

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
File created	C:\Windows\assembly\Desktop.ini	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1828	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Token: 33	1828	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Token: SeIncBasePriorityPrivilege	1828	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Token: SeDebugPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe
Token: 33	2500	server.exe
Token: SeIncBasePriorityPrivilege	2500	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exeserver.exe

description	pid	process	target process
PID 1828 wrote to memory of 2500	1828	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe	server.exe
PID 1828 wrote to memory of 2500	1828	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe	server.exe
PID 2500 wrote to memory of 2788	2500	server.exe	netsh.exe
PID 2500 wrote to memory of 2788	2500	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
"C:\Users\Admin\AppData\Local\Temp\87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
329KB

MD5
288a4b7588e9a76eb5c5ebfeda862246

SHA1
978f19856a3498c4bf47a39698d90c3e4d2baa4c

SHA256
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7

SHA512
86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
329KB

MD5
288a4b7588e9a76eb5c5ebfeda862246

SHA1
978f19856a3498c4bf47a39698d90c3e4d2baa4c

SHA256
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7

SHA512
86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94

Download Submit
memory/1828-132-0x000000001B4C0000-0x000000001BEF6000-memory.dmp

Filesize
10.2MB

Download
memory/2500-133-0x0000000000000000-mapping.dmp

Download
memory/2500-136-0x000000001B4A0000-0x000000001BED6000-memory.dmp

Filesize
10.2MB

Download
memory/2788-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads