njrat | 2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a

General

Target

2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
Size

1.3MB
MD5

c9fc1af6daeaf82e2e7d82ed378c0f7e
SHA1

5d21dabd60b9cb843e52b6171ce7445250a56b09
SHA256

2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a
SHA512

08af74dfeb889a085c990570d83d5f77c1eb1c0472615472d150f9c1011f90800ad18cd857b1179f5a60c2b8b130f89733697513b5acdbac3652ae95115d6d80
SSDEEP

24576:Wc7EY1cwIYveM/dYPvHitizUrtZAcxOfi8Ba71Jd3GvULpO9z07l0t7b68XKj:FBYYvxlJizQZdOfCDd3659g7lYTK

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1984	audiodg.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4936	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2537383b302cc1c1fc331687198731be.exe	audiodg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2537383b302cc1c1fc331687198731be.exe	audiodg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2537383b302cc1c1fc331687198731be = "\"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.exe\" .."	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2537383b302cc1c1fc331687198731be = "\"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.exe\" .."	audiodg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
File created	C:\Windows\assembly\Desktop.ini	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe
1984	audiodg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
File created	C:\Windows\assembly\Desktop.ini	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
1984	audiodg.exe
1984	audiodg.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe
Token: 33	1984	audiodg.exe
Token: SeIncBasePriorityPrivilege	1984	audiodg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
1984	audiodg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 1984	4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe	81
PID 4192 wrote to memory of 1984	4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe	81
PID 4192 wrote to memory of 1984	4192	2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe	81
PID 1984 wrote to memory of 4936	1984	audiodg.exe	82
PID 1984 wrote to memory of 4936	1984	audiodg.exe	82
PID 1984 wrote to memory of 4936	1984	audiodg.exe	82

C:\Users\Admin\AppData\Local\Temp\2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe
"C:\Users\Admin\AppData\Local\Temp\2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Roaming\audiodg.exe
  "C:\Users\Admin\AppData\Roaming\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\audiodg.exe" "audiodg.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
1.3MB

MD5
c9fc1af6daeaf82e2e7d82ed378c0f7e

SHA1
5d21dabd60b9cb843e52b6171ce7445250a56b09

SHA256
2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a

SHA512
08af74dfeb889a085c990570d83d5f77c1eb1c0472615472d150f9c1011f90800ad18cd857b1179f5a60c2b8b130f89733697513b5acdbac3652ae95115d6d80

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
1.3MB

MD5
c9fc1af6daeaf82e2e7d82ed378c0f7e

SHA1
5d21dabd60b9cb843e52b6171ce7445250a56b09

SHA256
2b90983027aae808fc3e61f08efe65e6cf6fdbc888790abb465313681a44ea1a

SHA512
08af74dfeb889a085c990570d83d5f77c1eb1c0472615472d150f9c1011f90800ad18cd857b1179f5a60c2b8b130f89733697513b5acdbac3652ae95115d6d80

Download Submit
memory/1984-139-0x00000000000A0000-0x0000000000480000-memory.dmp

Filesize
3.9MB

Download
memory/1984-145-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1984-144-0x00000000000A0000-0x0000000000480000-memory.dmp

Filesize
3.9MB

Download
memory/1984-142-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1984-136-0x0000000000000000-mapping.dmp

Download
memory/4192-135-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4192-140-0x0000000000D00000-0x00000000010E0000-memory.dmp

Filesize
3.9MB

Download
memory/4192-141-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4192-132-0x0000000000D00000-0x00000000010E0000-memory.dmp

Filesize
3.9MB

Download
memory/4192-134-0x0000000000D00000-0x00000000010E0000-memory.dmp

Filesize
3.9MB

Download
memory/4192-133-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4936-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing