njrat | 9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4

General

Target

9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4.exe
Size

917KB
MD5

6013b5dc4191ef309bce14e29d44f835
SHA1

01f0b39f373f146f7af7305fa4fed3fd5d68a00b
SHA256

9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4
SHA512

d2f1a0e8b99140bff02d0c2021953c51b57268644ce342e428253c12ed4429b3bac5d2222d0023180be65ceb32dbb25576a114186200142bf9905cc26022138f
SSDEEP

12288:b3bnX5kaPSU53TqdpA2L1/CpCD37qByX18ENW8sO/dsKQJFmgdX2Dg+ZEDp8pppF:btGL9VFX1FW0FLgX2Dg

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
3328	System23.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
368	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62911fde9b9b4c1a759a0fc924ff9b2c = "\"C:\\Users\\Admin\\AppData\\Roaming\\System23.exe\" .."	System23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62911fde9b9b4c1a759a0fc924ff9b2c = "\"C:\\Users\\Admin\\AppData\\Roaming\\System23.exe\" .."	System23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe
Token: 33	3328	System23.exe
Token: SeIncBasePriorityPrivilege	3328	System23.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 3328	428	9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4.exe	80
PID 428 wrote to memory of 3328	428	9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4.exe	80
PID 3328 wrote to memory of 368	3328	System23.exe	81
PID 3328 wrote to memory of 368	3328	System23.exe	81

C:\Users\Admin\AppData\Local\Temp\9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4.exe
"C:\Users\Admin\AppData\Local\Temp\9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Roaming\System23.exe
  "C:\Users\Admin\AppData\Roaming\System23.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System23.exe" "System23.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System23.exe

Filesize
917KB

MD5
6013b5dc4191ef309bce14e29d44f835

SHA1
01f0b39f373f146f7af7305fa4fed3fd5d68a00b

SHA256
9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4

SHA512
d2f1a0e8b99140bff02d0c2021953c51b57268644ce342e428253c12ed4429b3bac5d2222d0023180be65ceb32dbb25576a114186200142bf9905cc26022138f

Download Submit
C:\Users\Admin\AppData\Roaming\System23.exe

Filesize
917KB

MD5
6013b5dc4191ef309bce14e29d44f835

SHA1
01f0b39f373f146f7af7305fa4fed3fd5d68a00b

SHA256
9334376013cec7d63bae23f99e5c0ffb26f2e9b9730e74495b4000725cdd6ef4

SHA512
d2f1a0e8b99140bff02d0c2021953c51b57268644ce342e428253c12ed4429b3bac5d2222d0023180be65ceb32dbb25576a114186200142bf9905cc26022138f

Download Submit
memory/428-132-0x0000000000F50000-0x000000000103C000-memory.dmp

Filesize
944KB

Download
memory/428-133-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download
memory/428-137-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-138-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-140-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing