njrat | 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff

General

Target

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
Size

181KB
MD5

cee647a4ac53946dedff90ba3c406674
SHA1

53ce72e3726de9c0eb4e6e6f7c569ac210c789e4
SHA256

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
SHA512

9c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73
SSDEEP

3072:y7lUBMjrEoqCZbI3//Be/elqW3jcrrI0m0JGLUPiV8+/PgsGHDY+TM0DSKk:C2Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+L

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

System32.exe

pid process

1136 System32.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2104 netsh.exe

pid	process
1136	System32.exe

pid	process
2104	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
File created	C:\Windows\assembly\Desktop.ini	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe

Drops file in Windows directory 3 IoCs

Processes:

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
File created	C:\Windows\assembly\Desktop.ini	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exeSystem32.exe

description	pid	process
Token: SeDebugPrivilege	4204	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
Token: 33	4204	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
Token: SeIncBasePriorityPrivilege	4204	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
Token: SeDebugPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe
Token: 33	1136	System32.exe
Token: SeIncBasePriorityPrivilege	1136	System32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exeSystem32.exe

description	pid	process	target process
PID 4204 wrote to memory of 1136	4204	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe	System32.exe
PID 4204 wrote to memory of 1136	4204	3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe	System32.exe
PID 1136 wrote to memory of 2104	1136	System32.exe	netsh.exe
PID 1136 wrote to memory of 2104	1136	System32.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe
"C:\Users\Admin\AppData\Local\Temp\3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\System32.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
181KB

MD5
cee647a4ac53946dedff90ba3c406674

SHA1
53ce72e3726de9c0eb4e6e6f7c569ac210c789e4

SHA256
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff

SHA512
9c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73

Download Submit
C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
181KB

MD5
cee647a4ac53946dedff90ba3c406674

SHA1
53ce72e3726de9c0eb4e6e6f7c569ac210c789e4

SHA256
3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff

SHA512
9c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73

Download Submit
memory/1136-133-0x0000000000000000-mapping.dmp

Download
memory/1136-136-0x00007FFBE95F0000-0x00007FFBEA026000-memory.dmp

Filesize
10.2MB

Download
memory/1136-138-0x000000000167A000-0x000000000167F000-memory.dmp

Filesize
20KB

Download
memory/1136-139-0x000000000167A000-0x000000000167F000-memory.dmp

Filesize
20KB

Download
memory/2104-137-0x0000000000000000-mapping.dmp

Download
memory/4204-132-0x00007FFBE95F0000-0x00007FFBEA026000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads