njrat | 2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b

General

Target

2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe
Size

216KB
MD5

1abd4046c4581e18a04f31fd01c37bc6
SHA1

e3a05f10b52399184714a01a5e3e29696d4345d5
SHA256

2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b
SHA512

ad947e946607fdba605344445d20528e49fbc343a5fef865e96b8af85f917ac7ff5639f44271e6c9b87ad3cdbeba372289426f4a812ed8ce35f26701292da005
SSDEEP

6144:RbRZe1dUZiD78HUynURW5wT5RnR/0ktNJ:XZliD6dnZe9R/

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
3392	LocalFYZYoSHdoF.exe
4920	Trojan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4820	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	LocalFYZYoSHdoF.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe
4920	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	Trojan.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3392	4640	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	82
PID 4640 wrote to memory of 3392	4640	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	82
PID 4640 wrote to memory of 3392	4640	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	82
PID 3392 wrote to memory of 4920	3392	LocalFYZYoSHdoF.exe	83
PID 3392 wrote to memory of 4920	3392	LocalFYZYoSHdoF.exe	83
PID 3392 wrote to memory of 4920	3392	LocalFYZYoSHdoF.exe	83
PID 4920 wrote to memory of 4820	4920	Trojan.exe	84
PID 4920 wrote to memory of 4820	4920	Trojan.exe	84
PID 4920 wrote to memory of 4820	4920	Trojan.exe	84

C:\Users\Admin\AppData\Local\Temp\2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe
"C:\Users\Admin\AppData\Local\Temp\2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe
  "C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
memory/3392-140-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4640-132-0x00007FFD7C670000-0x00007FFD7D0A6000-memory.dmp

Filesize
10.2MB

Download
memory/4920-141-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-142-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing