njrat | 4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a

Analysis

max time kernel
164s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe
Size

1.8MB
MD5

9936b39d4d84bd70a79d8cf2bc03fa32
SHA1

ed6b8dd72fdbca4e5528573bbdb25af8b9493d8f
SHA256

4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a
SHA512

00b6ffedac3b9e9146699e7a0b656bd1a59925aea929c5dd3e64cece2e80f621a63acd58ed19ead7784719a8b1c2510dfa8080fb172de4f3a924583f0d5967d3
SSDEEP

49152:AZzO43KtaISugRed1bVkanj8dV1LRwH6DaQtdvSkPkN:ptaDi8V9Rw6X6kPk

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 4 IoCs

pid	Process
2628	vvb.exe
2200	Crack.exe
3376	Crack.tmp
4928	server.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
944	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	vvb.exe

Loads dropped DLL 1 IoCs

pid	Process
3376	Crack.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4475219a86576eb3c91dfd665a538cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b4475219a86576eb3c91dfd665a538cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe
Token: 33	4928	server.exe
Token: SeIncBasePriorityPrivilege	4928	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2628	2944	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	80
PID 2944 wrote to memory of 2628	2944	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	80
PID 2944 wrote to memory of 2628	2944	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	80
PID 2944 wrote to memory of 2200	2944	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	81
PID 2944 wrote to memory of 2200	2944	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	81
PID 2944 wrote to memory of 2200	2944	4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe	81
PID 2200 wrote to memory of 3376	2200	Crack.exe	82
PID 2200 wrote to memory of 3376	2200	Crack.exe	82
PID 2200 wrote to memory of 3376	2200	Crack.exe	82
PID 2628 wrote to memory of 4928	2628	vvb.exe	85
PID 2628 wrote to memory of 4928	2628	vvb.exe	85
PID 2628 wrote to memory of 4928	2628	vvb.exe	85
PID 4928 wrote to memory of 944	4928	server.exe	86
PID 4928 wrote to memory of 944	4928	server.exe	86
PID 4928 wrote to memory of 944	4928	server.exe	86

C:\Users\Admin\AppData\Local\Temp\4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe
"C:\Users\Admin\AppData\Local\Temp\4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\vvb.exe
  C:\Users\Admin\AppData\Local\Temp/vvb.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:944
- C:\Users\Admin\AppData\Local\Temp\Crack.exe
  C:\Users\Admin\AppData\Local\Temp/Crack.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\is-O2JFB.tmp\Crack.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-O2JFB.tmp\Crack.tmp" /SL5="$14006C,279271,145920,C:\Users\Admin\AppData\Local\Temp\Crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
769KB

MD5
2e7e4fa9fd865ac24ebed0d5f1aa0a72

SHA1
23c980c639a4e4efd6d3edf74c9099bff134bf79

SHA256
c01e5ab8410f4e448f181adb3a2f57324f60cf74d8e5c62aca10ed8447bfd38b

SHA512
2dd1bbcd59a77c05b242172261fc50a5f58d90e1edd1b8a0ff90d9a0a28fc0f1f5b4eb7eef21b300f152360618ac72a086ea3ac83641f349fae3754f55fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
769KB

MD5
2e7e4fa9fd865ac24ebed0d5f1aa0a72

SHA1
23c980c639a4e4efd6d3edf74c9099bff134bf79

SHA256
c01e5ab8410f4e448f181adb3a2f57324f60cf74d8e5c62aca10ed8447bfd38b

SHA512
2dd1bbcd59a77c05b242172261fc50a5f58d90e1edd1b8a0ff90d9a0a28fc0f1f5b4eb7eef21b300f152360618ac72a086ea3ac83641f349fae3754f55fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMMF5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O2JFB.tmp\Crack.tmp

Filesize
1.1MB

MD5
ab0e68631055f355e3fa3a65f5cbb7a6

SHA1
acdfd7155dc6e09025c84f3c36b581e9aad2263c

SHA256
9a8b5b9746b22132903879b4ba5876bb9d3468177989f486c2e67f353b4a2928

SHA512
a1e58a283842c408bf9a399837ff3976930c817830d33845d8cb3838d3098b2b49f6b35d5b812d5b99170e5150fbcd2434914373346f7645362e9885aae04c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O2JFB.tmp\Crack.tmp

Filesize
1.1MB

MD5
ab0e68631055f355e3fa3a65f5cbb7a6

SHA1
acdfd7155dc6e09025c84f3c36b581e9aad2263c

SHA256
9a8b5b9746b22132903879b4ba5876bb9d3468177989f486c2e67f353b4a2928

SHA512
a1e58a283842c408bf9a399837ff3976930c817830d33845d8cb3838d3098b2b49f6b35d5b812d5b99170e5150fbcd2434914373346f7645362e9885aae04c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvb.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvb.exe

Filesize
409KB

MD5
12af50fe321b48ceeeae76f17f75f696

SHA1
3263e56879c4d33b6796530a8553b2d429ad3d87

SHA256
63761df5cc91b2f362f9ffc0764684aaecca787a24f749e07cf2994a64a9a3e9

SHA512
74350ce30d61340607f5c8b3c59f063ed962d16f7105712bc9a09febbbd005580b76170bb5878e6d6edfb6156384ec9962d3db8e8ca171d9d72fa4c79dc205a5

Download Submit
memory/2200-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2200-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2200-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-144-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2628-147-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2628-151-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-152-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-154-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download