njrat | 8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f

General

Target

8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe
Size

437KB
MD5

6494493746d95598cb1e64b1ed53669c
SHA1

12ed5c845c0b5818c5e7a6c5ff14d007ab50d546
SHA256

8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f
SHA512

3999294178e5b66961a372d43e0e3d978c79b0375fefe1eca22cfd92dec6c4f8382ad558472147702b5fd1e28decf8e2f328df6c4b2c7c5196c35922b9aec313
SSDEEP

12288:1u5+hCo1m1HOPDq2Owbfjkx0ZkYLt9VkrefM:1e+11m1HOrZbfjpkYLt9erefM

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

jkl.exeMohamed Imad.exeWindows.exe

pid process

4676 jkl.exe
4836 Mohamed Imad.exe
32 Windows.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3700 netsh.exe

pid	process
4676	jkl.exe
4836	Mohamed Imad.exe
32	Windows.exe

pid	process
3700	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exejkl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	jkl.exe

Drops startup file 2 IoCs

Processes:

Windows.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0637647888fbb2fb9f487f98c143f3b5.exe	Windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0637647888fbb2fb9f487f98c143f3b5.exe	Windows.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jkl.exeWindows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\jkl.exe"	jkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\jkl.exe"	Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0637647888fbb2fb9f487f98c143f3b5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0637647888fbb2fb9f487f98c143f3b5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Windows.exe

description	pid	process
Token: SeDebugPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe
Token: 33	32	Windows.exe
Token: SeIncBasePriorityPrivilege	32	Windows.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exejkl.exeWindows.exe

description	pid	process	target process
PID 860 wrote to memory of 4676	860	8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe	jkl.exe
PID 860 wrote to memory of 4676	860	8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe	jkl.exe
PID 860 wrote to memory of 4836	860	8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe	Mohamed Imad.exe
PID 860 wrote to memory of 4836	860	8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe	Mohamed Imad.exe
PID 4676 wrote to memory of 32	4676	jkl.exe	Windows.exe
PID 4676 wrote to memory of 32	4676	jkl.exe	Windows.exe
PID 32 wrote to memory of 3700	32	Windows.exe	netsh.exe
PID 32 wrote to memory of 3700	32	Windows.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe
"C:\Users\Admin\AppData\Local\Temp\8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\jkl.exe
"C:\Users\Admin\AppData\Local\Temp\jkl.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3700

C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe
"C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe"
2⤵
- Executes dropped EXE
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe
Filesize
321KB

MD5
eb078d6d5bc16b89e4468019c55543f8

SHA1
0f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9

SHA256
47a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8

SHA512
56107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe
Filesize
321KB

MD5
eb078d6d5bc16b89e4468019c55543f8

SHA1
0f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9

SHA256
47a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8

SHA512
56107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe
Filesize
72KB

MD5
c7f7f2f2569396ec7573f6c9af116f00

SHA1
4544ce4257f4f2e3d42b54bd2528cd95c1e2a330

SHA256
37836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e

SHA512
481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe
Filesize
72KB

MD5
c7f7f2f2569396ec7573f6c9af116f00

SHA1
4544ce4257f4f2e3d42b54bd2528cd95c1e2a330

SHA256
37836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e

SHA512
481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkl.exe
Filesize
72KB

MD5
c7f7f2f2569396ec7573f6c9af116f00

SHA1
4544ce4257f4f2e3d42b54bd2528cd95c1e2a330

SHA256
37836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e

SHA512
481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkl.exe
Filesize
72KB

MD5
c7f7f2f2569396ec7573f6c9af116f00

SHA1
4544ce4257f4f2e3d42b54bd2528cd95c1e2a330

SHA256
37836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e

SHA512
481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394

Download Submit
memory/32-143-0x00007FF893A10000-0x00007FF894446000-memory.dmp

Filesize
10.2MB

Download
memory/32-140-0x0000000000000000-mapping.dmp

Download
memory/3700-144-0x0000000000000000-mapping.dmp

Download
memory/4676-132-0x0000000000000000-mapping.dmp

Download
memory/4676-139-0x00007FF893A10000-0x00007FF894446000-memory.dmp

Filesize
10.2MB

Download
memory/4836-135-0x0000000000000000-mapping.dmp

Download
memory/4836-138-0x00007FF893A10000-0x00007FF894446000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads