njrat | 1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a

General

Target

1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe
Size

641KB
MD5

0f90df5bc5729687c185b625c884173a
SHA1

5c313bd0d43e9fc04de3be43546bf598a741c86b
SHA256

1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a
SHA512

012a1d3160cac0f076d2ca00ba0a01f6e6d99f42e184cc3dfd5f5366d44642cb1fe0995bf7311f0428cad472df58544fd89265ff0865cbdca2117f0c015eeaa6
SSDEEP

6144:zYQT9dfbLIqMIgGkQ5wwa4RoqQtvlsOk0pM/SbURs4joY5iyk4AAoOQATLo:Ecdfbsq7bip4RdSSEF4Dib4z

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

2216 winlogon.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1292 netsh.exe

pid	process
2216	winlogon.exe

pid	process
1292	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe

Drops startup file 2 IoCs

Processes:

winlogon.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ccaba534c83a00018d8c7c4e6116f22c.exe	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ccaba534c83a00018d8c7c4e6116f22c.exe	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccaba534c83a00018d8c7c4e6116f22c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogon.exe\" .."	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccaba534c83a00018d8c7c4e6116f22c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogon.exe\" .."	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

winlogon.exe

description	pid	process
Token: SeDebugPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe
Token: 33	2216	winlogon.exe
Token: SeIncBasePriorityPrivilege	2216	winlogon.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exewinlogon.exe

description	pid	process	target process
PID 1688 wrote to memory of 2216	1688	1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe	winlogon.exe
PID 1688 wrote to memory of 2216	1688	1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe	winlogon.exe
PID 2216 wrote to memory of 1292	2216	winlogon.exe	netsh.exe
PID 2216 wrote to memory of 1292	2216	winlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe
"C:\Users\Admin\AppData\Local\Temp\1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\winlogon.exe
"C:\Users\Admin\AppData\Local\Temp\winlogon.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\winlogon.exe" "winlogon.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winlogon.exe
Filesize
641KB

MD5
0f90df5bc5729687c185b625c884173a

SHA1
5c313bd0d43e9fc04de3be43546bf598a741c86b

SHA256
1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a

SHA512
012a1d3160cac0f076d2ca00ba0a01f6e6d99f42e184cc3dfd5f5366d44642cb1fe0995bf7311f0428cad472df58544fd89265ff0865cbdca2117f0c015eeaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogon.exe
Filesize
641KB

MD5
0f90df5bc5729687c185b625c884173a

SHA1
5c313bd0d43e9fc04de3be43546bf598a741c86b

SHA256
1c1e6128738f90d0a77248880efd9bc9b9255d5a5625b05fe609ced943de900a

SHA512
012a1d3160cac0f076d2ca00ba0a01f6e6d99f42e184cc3dfd5f5366d44642cb1fe0995bf7311f0428cad472df58544fd89265ff0865cbdca2117f0c015eeaa6

Download Submit
memory/1292-139-0x0000000000000000-mapping.dmp

Download
memory/1688-132-0x00000000004B0000-0x0000000000556000-memory.dmp

Filesize
664KB

Download
memory/1688-133-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-137-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-134-0x0000000000000000-mapping.dmp

Download
memory/2216-138-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-140-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads