njrat | 7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216

General

Target

7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe
Size

1.1MB
MD5

096089cdbbc61542b24ce5d00a1b76a9
SHA1

5d8d67505bff5a07f432ced6e8a35efd3ea63d8f
SHA256

7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216
SHA512

11ff3ed9f0d2c3dddcd4c59aed6b347b9d7a685a2c15bbd7a0168ac6a46386139406f3da13bbf40b3012107e96a5dff34b886e89d474fe9335a223311440b3de
SSDEEP

12288:YvPsAn6QPRifzMFfdlowDvkMes7Wu3UDE4hPJm7sdrbdPjCNUWQRIEpozv9je8wH:GsS/KLs70xtLPC24cbLgcbL

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1772	LocalAdnGXIyVlt.exe
1324	explorer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1732	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\0300341e4d2c6865c9eb8b03731df96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0300341e4d2c6865c9eb8b03731df96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	explorer.exe
Token: 33	1324	explorer.exe
Token: SeIncBasePriorityPrivilege	1324	explorer.exe
Token: 33	1324	explorer.exe
Token: SeIncBasePriorityPrivilege	1324	explorer.exe
Token: 33	1324	explorer.exe
Token: SeIncBasePriorityPrivilege	1324	explorer.exe
Token: 33	1324	explorer.exe
Token: SeIncBasePriorityPrivilege	1324	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1772	1160	7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe	26
PID 1160 wrote to memory of 1772	1160	7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe	26
PID 1160 wrote to memory of 1772	1160	7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe	26
PID 1772 wrote to memory of 1324	1772	LocalAdnGXIyVlt.exe	27
PID 1772 wrote to memory of 1324	1772	LocalAdnGXIyVlt.exe	27
PID 1772 wrote to memory of 1324	1772	LocalAdnGXIyVlt.exe	27
PID 1324 wrote to memory of 1732	1324	explorer.exe	28
PID 1324 wrote to memory of 1732	1324	explorer.exe	28
PID 1324 wrote to memory of 1732	1324	explorer.exe	28

C:\Users\Admin\AppData\Local\Temp\7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe
"C:\Users\Admin\AppData\Local\Temp\7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe
  "C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
memory/1160-54-0x000007FEF37A0000-0x000007FEF41C3000-memory.dmp

Filesize
10.1MB

Download
memory/1160-55-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1324-67-0x0000000000300000-0x00000000003F4000-memory.dmp

Filesize
976KB

Download
memory/1772-61-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1772-62-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1772-60-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/1772-59-0x0000000000360000-0x0000000000454000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing