njrat | 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03

General

Target

3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
Size

131KB
MD5

7172970c5f7feaeefea7dce05c77ec99
SHA1

d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
SHA256

3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
SHA512

2140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
SSDEEP

1536:0ypZ/A6HjKnbI66LazSel7tRW03TU4+DW8U2qdbsAqO+064RPT515KE6:bqjnbI7OBYwT+DWZsD0bTT

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Download Counter Strike 1.6.0.exe

pid process

1868 Download Counter Strike 1.6.0.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1640 netsh.exe

pid	process
1640	netsh.exe

Drops startup file 2 IoCs

Processes:

Download Counter Strike 1.6.0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\952ab70ddf0342a102f09a13e6367596.exe	Download Counter Strike 1.6.0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\952ab70ddf0342a102f09a13e6367596.exe	Download Counter Strike 1.6.0.exe

Loads dropped DLL 1 IoCs

Processes:

3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe

pid process

1720 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe

pid	process
1720	3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Download Counter Strike 1.6.0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\952ab70ddf0342a102f09a13e6367596 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Download Counter Strike 1.6.0.exe\" .."	Download Counter Strike 1.6.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\952ab70ddf0342a102f09a13e6367596 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Download Counter Strike 1.6.0.exe\" .."	Download Counter Strike 1.6.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Download Counter Strike 1.6.0.exe

pid	process
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe
1868	Download Counter Strike 1.6.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Download Counter Strike 1.6.0.exe

description pid process

Token: SeDebugPrivilege 1868 Download Counter Strike 1.6.0.exe

description	pid	process
Token: SeDebugPrivilege	1868	Download Counter Strike 1.6.0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exeDownload Counter Strike 1.6.0.exe

description	pid	process	target process
PID 1720 wrote to memory of 1868	1720	3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe	Download Counter Strike 1.6.0.exe
PID 1720 wrote to memory of 1868	1720	3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe	Download Counter Strike 1.6.0.exe
PID 1720 wrote to memory of 1868	1720	3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe	Download Counter Strike 1.6.0.exe
PID 1720 wrote to memory of 1868	1720	3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe	Download Counter Strike 1.6.0.exe
PID 1868 wrote to memory of 1640	1868	Download Counter Strike 1.6.0.exe	netsh.exe
PID 1868 wrote to memory of 1640	1868	Download Counter Strike 1.6.0.exe	netsh.exe
PID 1868 wrote to memory of 1640	1868	Download Counter Strike 1.6.0.exe	netsh.exe
PID 1868 wrote to memory of 1640	1868	Download Counter Strike 1.6.0.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
"C:\Users\Admin\AppData\Local\Temp\3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe
"C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe" "Download Counter Strike 1.6.0.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe
Filesize
131KB

MD5
7172970c5f7feaeefea7dce05c77ec99

SHA1
d54ab0a54b0eea89ab205f4eefa3455129a3fcd9

SHA256
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03

SHA512
2140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe
Filesize
131KB

MD5
7172970c5f7feaeefea7dce05c77ec99

SHA1
d54ab0a54b0eea89ab205f4eefa3455129a3fcd9

SHA256
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03

SHA512
2140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34

Download Submit
\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe
Filesize
131KB

MD5
7172970c5f7feaeefea7dce05c77ec99

SHA1
d54ab0a54b0eea89ab205f4eefa3455129a3fcd9

SHA256
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03

SHA512
2140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34

Download Submit
memory/1640-64-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-62-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-57-0x0000000000000000-mapping.dmp

Download
memory/1868-61-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-63-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-66-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads