njrat | d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf

General

Target

d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe
Size

28KB
MD5

08277ffd0604662786bcab74fadb9f58
SHA1

65293437403509b08e9f83f1aa40e62540d35948
SHA256

d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf
SHA512

0d4195f31465083ac69e07633eb183d46c4c10625f176e913ef13b315711f116160c5573f7e67da8731f5505cfe7651e026e2a7541be164644443d0b658673b2
SSDEEP

768:OqbOQqUkKytQPMKDzdkL0OzU0LMqCbQ0e:ka9DeLRelbQ0

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1388	Windows.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1192	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55b3825ee39ada2fcddf7c7accbde69e.exe	Windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55b3825ee39ada2fcddf7c7accbde69e.exe	Windows.exe

Loads dropped DLL 1 IoCs

pid	Process
1072	d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\55b3825ee39ada2fcddf7c7accbde69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\55b3825ee39ada2fcddf7c7accbde69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe
1388	Windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	Windows.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1388	1072	d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe	27
PID 1072 wrote to memory of 1388	1072	d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe	27
PID 1072 wrote to memory of 1388	1072	d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe	27
PID 1072 wrote to memory of 1388	1072	d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe	27
PID 1388 wrote to memory of 1192	1388	Windows.exe	28
PID 1388 wrote to memory of 1192	1388	Windows.exe	28
PID 1388 wrote to memory of 1192	1388	Windows.exe	28
PID 1388 wrote to memory of 1192	1388	Windows.exe	28

C:\Users\Admin\AppData\Local\Temp\d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe
"C:\Users\Admin\AppData\Local\Temp\d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
28KB

MD5
08277ffd0604662786bcab74fadb9f58

SHA1
65293437403509b08e9f83f1aa40e62540d35948

SHA256
d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf

SHA512
0d4195f31465083ac69e07633eb183d46c4c10625f176e913ef13b315711f116160c5573f7e67da8731f5505cfe7651e026e2a7541be164644443d0b658673b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
28KB

MD5
08277ffd0604662786bcab74fadb9f58

SHA1
65293437403509b08e9f83f1aa40e62540d35948

SHA256
d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf

SHA512
0d4195f31465083ac69e07633eb183d46c4c10625f176e913ef13b315711f116160c5573f7e67da8731f5505cfe7651e026e2a7541be164644443d0b658673b2

Download Submit
\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
28KB

MD5
08277ffd0604662786bcab74fadb9f58

SHA1
65293437403509b08e9f83f1aa40e62540d35948

SHA256
d9d60842f711185749339f0fab952a56ee4af7c471f5256c1d76f3a6b1de9cdf

SHA512
0d4195f31465083ac69e07633eb183d46c4c10625f176e913ef13b315711f116160c5573f7e67da8731f5505cfe7651e026e2a7541be164644443d0b658673b2

Download Submit
memory/1072-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1072-55-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-62-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-64-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-65-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing