njrat | 2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe
Size

335KB
MD5

1a5e1386ecdfd31e8ba2ea85482b7e6d
SHA1

7773ac94af6764e667e280c20530253cf2ef4b68
SHA256

2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5
SHA512

0a3649ac16859f062a5e3efb4efbcde3488985537ea5e6a8dd502c4fb7bbf926971e47974c5ac7f702cff542e436cfa7c22f6d13b010b17a807ce097ee008388
SSDEEP

6144:qKwLo7jp0yN90QEs5pOFrgBK/hSeJybztlyAQ3:6Loay90u5pOFrKeEP

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 5 IoCs

pid	Process
3808	snopi.EXE
3684	AIgg.exe
1972	server.exe
1736	snopi.EXE
1184	AIgg.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3912	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AIgg.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	snopi.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	snopi.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	snopi.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	snopi.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	AIgg.exe
Token: SeDebugPrivilege	1972	server.exe
Token: SeDebugPrivilege	1184	AIgg.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe
Token: 33	1972	server.exe
Token: SeIncBasePriorityPrivilege	1972	server.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3808	2356	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe	81
PID 2356 wrote to memory of 3808	2356	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe	81
PID 2356 wrote to memory of 3808	2356	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe	81
PID 3808 wrote to memory of 3684	3808	snopi.EXE	82
PID 3808 wrote to memory of 3684	3808	snopi.EXE	82
PID 3808 wrote to memory of 3684	3808	snopi.EXE	82
PID 3684 wrote to memory of 1972	3684	AIgg.exe	83
PID 3684 wrote to memory of 1972	3684	AIgg.exe	83
PID 3684 wrote to memory of 1972	3684	AIgg.exe	83
PID 2356 wrote to memory of 1736	2356	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe	84
PID 2356 wrote to memory of 1736	2356	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe	84
PID 2356 wrote to memory of 1736	2356	2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe	84
PID 1736 wrote to memory of 1184	1736	snopi.EXE	85
PID 1736 wrote to memory of 1184	1736	snopi.EXE	85
PID 1736 wrote to memory of 1184	1736	snopi.EXE	85
PID 1972 wrote to memory of 3912	1972	server.exe	86
PID 1972 wrote to memory of 3912	1972	server.exe	86
PID 1972 wrote to memory of 3912	1972	server.exe	86

C:\Users\Admin\AppData\Local\Temp\2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe
"C:\Users\Admin\AppData\Local\Temp\2575a98ed4c9ada263bc682e58cd4b21cb5df2e5874afec7c1b19475ec8206f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AIgg.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AIgg.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:3912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AIgg.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AIgg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AIgg.exe.log

Filesize
585B

MD5
3c43b53aab0e2116a025497e8ec9d21a

SHA1
d8053a4565fd1f85c4f562b5dc4e6067ea38160e

SHA256
e09edc8877c782cc7ae1e6fab1e7a81e3b2244f555b0b5387139dff20d299e84

SHA512
ec5fb5dcf6e1a768d3b9f186606f034c20a2f0979151500fe5c0fd0d645828078cd22860ec5cf4678364e132cd8a1ed903aecc3d788ae5e2905f3bda140ce191

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE

Filesize
229KB

MD5
69b9fb111ff2fa2ef1e91777bcf5a15c

SHA1
6244569a4867b094cee9bfc872cc6a4f7aed7187

SHA256
9249c12244f540b8342b12a3155c88ee78ce39fba3a8d31e97883843cd2d6c62

SHA512
9185a849c7a763f9fda8ef0ed4f5bfbae8812eac1f2af5d18d6169d4ec3db59659609cb5a629119eb70324e743f625635bea17eed499627c5bb1da82fcc66db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE

Filesize
229KB

MD5
69b9fb111ff2fa2ef1e91777bcf5a15c

SHA1
6244569a4867b094cee9bfc872cc6a4f7aed7187

SHA256
9249c12244f540b8342b12a3155c88ee78ce39fba3a8d31e97883843cd2d6c62

SHA512
9185a849c7a763f9fda8ef0ed4f5bfbae8812eac1f2af5d18d6169d4ec3db59659609cb5a629119eb70324e743f625635bea17eed499627c5bb1da82fcc66db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snopi.EXE

Filesize
229KB

MD5
69b9fb111ff2fa2ef1e91777bcf5a15c

SHA1
6244569a4867b094cee9bfc872cc6a4f7aed7187

SHA256
9249c12244f540b8342b12a3155c88ee78ce39fba3a8d31e97883843cd2d6c62

SHA512
9185a849c7a763f9fda8ef0ed4f5bfbae8812eac1f2af5d18d6169d4ec3db59659609cb5a629119eb70324e743f625635bea17eed499627c5bb1da82fcc66db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AIgg.exe

Filesize
117KB

MD5
4e2bf9b1f2a0b853c8a2f7782bf55401

SHA1
84c9335dcac88e007f881466e8a3ff60a74c4e83

SHA256
e9bfda5acb3651bac6b598e611ca41c3bb0bb25862e70a7b6f722e42e8508687

SHA512
ce0998943d2e8653b2021c2ff4d1de238c0c018d7154d3869dda08ab6369febecb53551f8b955918125dec48657a4dd3a4e2a1434b73ca0f06edfc32a945e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AIgg.exe

Filesize
117KB

MD5
4e2bf9b1f2a0b853c8a2f7782bf55401

SHA1
84c9335dcac88e007f881466e8a3ff60a74c4e83

SHA256
e9bfda5acb3651bac6b598e611ca41c3bb0bb25862e70a7b6f722e42e8508687

SHA512
ce0998943d2e8653b2021c2ff4d1de238c0c018d7154d3869dda08ab6369febecb53551f8b955918125dec48657a4dd3a4e2a1434b73ca0f06edfc32a945e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AIgg.exe

Filesize
117KB

MD5
4e2bf9b1f2a0b853c8a2f7782bf55401

SHA1
84c9335dcac88e007f881466e8a3ff60a74c4e83

SHA256
e9bfda5acb3651bac6b598e611ca41c3bb0bb25862e70a7b6f722e42e8508687

SHA512
ce0998943d2e8653b2021c2ff4d1de238c0c018d7154d3869dda08ab6369febecb53551f8b955918125dec48657a4dd3a4e2a1434b73ca0f06edfc32a945e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AIgg.exe

Filesize
117KB

MD5
4e2bf9b1f2a0b853c8a2f7782bf55401

SHA1
84c9335dcac88e007f881466e8a3ff60a74c4e83

SHA256
e9bfda5acb3651bac6b598e611ca41c3bb0bb25862e70a7b6f722e42e8508687

SHA512
ce0998943d2e8653b2021c2ff4d1de238c0c018d7154d3869dda08ab6369febecb53551f8b955918125dec48657a4dd3a4e2a1434b73ca0f06edfc32a945e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
117KB

MD5
4e2bf9b1f2a0b853c8a2f7782bf55401

SHA1
84c9335dcac88e007f881466e8a3ff60a74c4e83

SHA256
e9bfda5acb3651bac6b598e611ca41c3bb0bb25862e70a7b6f722e42e8508687

SHA512
ce0998943d2e8653b2021c2ff4d1de238c0c018d7154d3869dda08ab6369febecb53551f8b955918125dec48657a4dd3a4e2a1434b73ca0f06edfc32a945e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
117KB

MD5
4e2bf9b1f2a0b853c8a2f7782bf55401

SHA1
84c9335dcac88e007f881466e8a3ff60a74c4e83

SHA256
e9bfda5acb3651bac6b598e611ca41c3bb0bb25862e70a7b6f722e42e8508687

SHA512
ce0998943d2e8653b2021c2ff4d1de238c0c018d7154d3869dda08ab6369febecb53551f8b955918125dec48657a4dd3a4e2a1434b73ca0f06edfc32a945e9a3

Download Submit
memory/1184-150-0x0000000074200000-0x00000000747B1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-152-0x0000000074200000-0x00000000747B1000-memory.dmp

Filesize
5.7MB

Download
memory/1972-143-0x0000000074200000-0x00000000747B1000-memory.dmp

Filesize
5.7MB

Download
memory/1972-153-0x0000000074200000-0x00000000747B1000-memory.dmp

Filesize
5.7MB

Download
memory/3684-142-0x0000000074200000-0x00000000747B1000-memory.dmp

Filesize
5.7MB

Download
memory/3684-138-0x0000000074200000-0x00000000747B1000-memory.dmp

Filesize
5.7MB

Download