njrat | 1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16

General

Target

1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe
Size

1.5MB
MD5

15e5b2411f2f7ab042edd30fa9af6237
SHA1

bb5787e864dc3f0a3048e81f5616cce66b3c4de5
SHA256

1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16
SHA512

9e921e113bdc269633caa8c044960147f94a6507c5e6d910a50d1c01d456aeb5e35cdc86c5aad7b4b247251ab161073e2a997394976168a889fea9f8e245f1f0
SSDEEP

24576:jGmAQCMjaSfT3qg/JdrKuWbOWVkebKcg1JR16SOqu5JogAOUbJN2rElKnKkzOF/Y:jG+CM2SfT3qgBQ241c4tP5JogAOUFN2N

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 4 IoCs

pid	Process
3172	Tempcsrss.exe
1200	TempMicrosoft.exe
4868	System.exe
3084	csrss.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3040	netsh.exe
4328	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TempMicrosoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Tempcsrss.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97335ed968c8d21501810d2516770677.exe	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97335ed968c8d21501810d2516770677.exe	csrss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\953466711bd850611a452323a9126aec.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\953466711bd850611a452323a9126aec.exe	System.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97335ed968c8d21501810d2516770677 = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\" .."	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\97335ed968c8d21501810d2516770677 = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\" .."	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\953466711bd850611a452323a9126aec = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\953466711bd850611a452323a9126aec = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .."	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe
3084	csrss.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	Tempcsrss.exe
Token: 33	3172	Tempcsrss.exe
Token: SeIncBasePriorityPrivilege	3172	Tempcsrss.exe
Token: SeDebugPrivilege	3084	csrss.exe
Token: 33	3084	csrss.exe
Token: SeIncBasePriorityPrivilege	3084	csrss.exe
Token: SeDebugPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe
Token: 33	4868	System.exe
Token: SeIncBasePriorityPrivilege	4868	System.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 3172	4636	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe	84
PID 4636 wrote to memory of 3172	4636	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe	84
PID 4636 wrote to memory of 3172	4636	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe	84
PID 4636 wrote to memory of 1200	4636	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe	85
PID 4636 wrote to memory of 1200	4636	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe	85
PID 4636 wrote to memory of 1200	4636	1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe	85
PID 1200 wrote to memory of 4868	1200	TempMicrosoft.exe	86
PID 1200 wrote to memory of 4868	1200	TempMicrosoft.exe	86
PID 1200 wrote to memory of 4868	1200	TempMicrosoft.exe	86
PID 3172 wrote to memory of 3084	3172	Tempcsrss.exe	87
PID 3172 wrote to memory of 3084	3172	Tempcsrss.exe	87
PID 3172 wrote to memory of 3084	3172	Tempcsrss.exe	87
PID 4868 wrote to memory of 4328	4868	System.exe	90
PID 4868 wrote to memory of 4328	4868	System.exe	90
PID 4868 wrote to memory of 4328	4868	System.exe	90
PID 3084 wrote to memory of 3040	3084	csrss.exe	89
PID 3084 wrote to memory of 3040	3084	csrss.exe	89
PID 3084 wrote to memory of 3040	3084	csrss.exe	89

C:\Users\Admin\AppData\Local\Temp\1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe
"C:\Users\Admin\AppData\Local\Temp\1a54390bf4f97eabc52bed5f3d698efb57ee285e789284993233c2a5db944d16.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Tempcsrss.exe
  "C:\Users\Admin\AppData\Local\Tempcsrss.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\csrss.exe" "csrss.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3040
- C:\Users\Admin\AppData\Local\TempMicrosoft.exe
  "C:\Users\Admin\AppData\Local\TempMicrosoft.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Roaming\System.exe
    "C:\Users\Admin\AppData\Roaming\System.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempMicrosoft.exe

Filesize
150KB

MD5
5f033a40a7dc81e791fa1c1f6b351b07

SHA1
3ce56b830072807c95db020eb8cf6798c8b7c8ee

SHA256
014fba39ef2c96201dcd6cc30c3c703e69847d0f0bcd37e172943a645a07d67a

SHA512
ab0f5723585b6f4f386cdd92752ee66fb4bf3725ae96d3d8287d344c09958bd46255b277bae9ecce50358dff7e95428f8cafcdd3ce614f86222ef131ed5b9f13

Download Submit
C:\Users\Admin\AppData\Local\TempMicrosoft.exe

Filesize
150KB

MD5
5f033a40a7dc81e791fa1c1f6b351b07

SHA1
3ce56b830072807c95db020eb8cf6798c8b7c8ee

SHA256
014fba39ef2c96201dcd6cc30c3c703e69847d0f0bcd37e172943a645a07d67a

SHA512
ab0f5723585b6f4f386cdd92752ee66fb4bf3725ae96d3d8287d344c09958bd46255b277bae9ecce50358dff7e95428f8cafcdd3ce614f86222ef131ed5b9f13

Download Submit
C:\Users\Admin\AppData\Local\Tempcsrss.exe

Filesize
383KB

MD5
99f3b1120829755dc29ab8b0eaf765d1

SHA1
d42ce27d894e71d6f00e5a6628e71ba80aaf0477

SHA256
52ff931c18fe5a944d757e213708daead76cc212c7b1e748b16d2e1c656cfc4f

SHA512
470d1b8a86d26ddf5814ca1db93c632a77df3ed96f64b1c36f421989630c8f90a4186224220b55bc95015145511191595bab4f0759a02c80fd44e43cb7ef6042

Download Submit
C:\Users\Admin\AppData\Local\Tempcsrss.exe

Filesize
383KB

MD5
99f3b1120829755dc29ab8b0eaf765d1

SHA1
d42ce27d894e71d6f00e5a6628e71ba80aaf0477

SHA256
52ff931c18fe5a944d757e213708daead76cc212c7b1e748b16d2e1c656cfc4f

SHA512
470d1b8a86d26ddf5814ca1db93c632a77df3ed96f64b1c36f421989630c8f90a4186224220b55bc95015145511191595bab4f0759a02c80fd44e43cb7ef6042

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe

Filesize
150KB

MD5
5f033a40a7dc81e791fa1c1f6b351b07

SHA1
3ce56b830072807c95db020eb8cf6798c8b7c8ee

SHA256
014fba39ef2c96201dcd6cc30c3c703e69847d0f0bcd37e172943a645a07d67a

SHA512
ab0f5723585b6f4f386cdd92752ee66fb4bf3725ae96d3d8287d344c09958bd46255b277bae9ecce50358dff7e95428f8cafcdd3ce614f86222ef131ed5b9f13

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe

Filesize
150KB

MD5
5f033a40a7dc81e791fa1c1f6b351b07

SHA1
3ce56b830072807c95db020eb8cf6798c8b7c8ee

SHA256
014fba39ef2c96201dcd6cc30c3c703e69847d0f0bcd37e172943a645a07d67a

SHA512
ab0f5723585b6f4f386cdd92752ee66fb4bf3725ae96d3d8287d344c09958bd46255b277bae9ecce50358dff7e95428f8cafcdd3ce614f86222ef131ed5b9f13

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
383KB

MD5
99f3b1120829755dc29ab8b0eaf765d1

SHA1
d42ce27d894e71d6f00e5a6628e71ba80aaf0477

SHA256
52ff931c18fe5a944d757e213708daead76cc212c7b1e748b16d2e1c656cfc4f

SHA512
470d1b8a86d26ddf5814ca1db93c632a77df3ed96f64b1c36f421989630c8f90a4186224220b55bc95015145511191595bab4f0759a02c80fd44e43cb7ef6042

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
383KB

MD5
99f3b1120829755dc29ab8b0eaf765d1

SHA1
d42ce27d894e71d6f00e5a6628e71ba80aaf0477

SHA256
52ff931c18fe5a944d757e213708daead76cc212c7b1e748b16d2e1c656cfc4f

SHA512
470d1b8a86d26ddf5814ca1db93c632a77df3ed96f64b1c36f421989630c8f90a4186224220b55bc95015145511191595bab4f0759a02c80fd44e43cb7ef6042

Download Submit
memory/1200-147-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1200-140-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1200-152-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3084-151-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3084-157-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-146-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-153-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-139-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-141-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-145-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-154-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing