njrat | 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80

General

Target

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Size

566KB
MD5

7cd871c5dae7dfee205ac811f0d461d7
SHA1

9d564accbfefafeda236574750a4dcb481e187fa
SHA256

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
SHA512

f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
SSDEEP

6144:12Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+5l+anN40ty2or87P9U3ERvYb:5JEJP0TB76uJDf5lTnqe7q3sY

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

System32.exe

pid process

4544 System32.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4948 netsh.exe

pid	process
4544	System32.exe

pid	process
4948	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
File created	C:\Windows\assembly\Desktop.ini	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe

Drops file in Windows directory 3 IoCs

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
File created	C:\Windows\assembly\Desktop.ini	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exeSystem32.exe

description	pid	process
Token: SeDebugPrivilege	4028	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Token: 33	4028	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Token: SeIncBasePriorityPrivilege	4028	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Token: SeDebugPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe
Token: 33	4544	System32.exe
Token: SeIncBasePriorityPrivilege	4544	System32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exeSystem32.exe

description	pid	process	target process
PID 4028 wrote to memory of 4544	4028	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe	System32.exe
PID 4028 wrote to memory of 4544	4028	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe	System32.exe
PID 4544 wrote to memory of 4948	4544	System32.exe	netsh.exe
PID 4544 wrote to memory of 4948	4544	System32.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
"C:\Users\Admin\AppData\Local\Temp\6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\System32.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
566KB

MD5
7cd871c5dae7dfee205ac811f0d461d7

SHA1
9d564accbfefafeda236574750a4dcb481e187fa

SHA256
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80

SHA512
f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
566KB

MD5
7cd871c5dae7dfee205ac811f0d461d7

SHA1
9d564accbfefafeda236574750a4dcb481e187fa

SHA256
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80

SHA512
f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4

Download Submit
memory/4028-132-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmp

Filesize
10.2MB

Download
memory/4544-133-0x0000000000000000-mapping.dmp

Download
memory/4544-136-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmp

Filesize
10.2MB

Download
memory/4544-138-0x00000000019BA000-0x00000000019BF000-memory.dmp

Filesize
20KB

Download
memory/4544-139-0x00000000019BA000-0x00000000019BF000-memory.dmp

Filesize
20KB

Download
memory/4948-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads