njrat | 7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216

General

Target

7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe
Size

1.1MB
MD5

096089cdbbc61542b24ce5d00a1b76a9
SHA1

5d8d67505bff5a07f432ced6e8a35efd3ea63d8f
SHA256

7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216
SHA512

11ff3ed9f0d2c3dddcd4c59aed6b347b9d7a685a2c15bbd7a0168ac6a46386139406f3da13bbf40b3012107e96a5dff34b886e89d474fe9335a223311440b3de
SSDEEP

12288:YvPsAn6QPRifzMFfdlowDvkMes7Wu3UDE4hPJm7sdrbdPjCNUWQRIEpozv9je8wH:GsS/KLs70xtLPC24cbLgcbL

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1492	LocalAdnGXIyVlt.exe
4332	explorer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1328	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LocalAdnGXIyVlt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0300341e4d2c6865c9eb8b03731df96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0300341e4d2c6865c9eb8b03731df96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe
Token: 33	4332	explorer.exe
Token: SeIncBasePriorityPrivilege	4332	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1492	3788	7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe	80
PID 3788 wrote to memory of 1492	3788	7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe	80
PID 1492 wrote to memory of 4332	1492	LocalAdnGXIyVlt.exe	81
PID 1492 wrote to memory of 4332	1492	LocalAdnGXIyVlt.exe	81
PID 4332 wrote to memory of 1328	4332	explorer.exe	82
PID 4332 wrote to memory of 1328	4332	explorer.exe	82

C:\Users\Admin\AppData\Local\Temp\7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe
"C:\Users\Admin\AppData\Local\Temp\7c1da15f0ece0569c6e3e519da31a28a263e9165f3cb8b2baa9217f4a2a8b216.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe
  "C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
C:\Users\Admin\AppData\LocalAdnGXIyVlt.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
951KB

MD5
e2b4b7c06ce3eca813ffdfdcc25d79f0

SHA1
710b6edc080d575593ebe433f5372c517ef4a738

SHA256
fab1813a03c499a181b1563a077134c159b68ffdf93022b1e904dbac6f571d5b

SHA512
f2fb33e37fd878531686606e5f7b57e333360b5ec8cf1e9b98b5ddb42b594b88cee008dc086f11037c37390125646c55873bc46373d186474a91b8ec472efe87

Download Submit
memory/1492-136-0x0000000000850000-0x0000000000944000-memory.dmp

Filesize
976KB

Download
memory/1492-137-0x00007FF9038D0000-0x00007FF904391000-memory.dmp

Filesize
10.8MB

Download
memory/1492-138-0x00007FF9038D0000-0x00007FF904391000-memory.dmp

Filesize
10.8MB

Download
memory/1492-142-0x00007FF9038D0000-0x00007FF904391000-memory.dmp

Filesize
10.8MB

Download
memory/3788-132-0x00007FF9043A0000-0x00007FF904DD6000-memory.dmp

Filesize
10.2MB

Download
memory/4332-143-0x00007FF9038D0000-0x00007FF904391000-memory.dmp

Filesize
10.8MB

Download
memory/4332-145-0x00007FF9038D0000-0x00007FF904391000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing