njrat | 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b

General

Target

4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
Size

325KB
MD5

8bbb3b4c01554e0ff1a618554c067dc3
SHA1

294d26f917ed996c1f8aae3a57f723666cc49843
SHA256

4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b
SHA512

5454ae34b4bd6dfbe896a91a7d41197dcad048ed4b2aa8286dad5f2ed70fd41e5799815175aba059c4ca96997dd0e11ed30a48adb0f0486d7e656a560dab428c
SSDEEP

6144:XuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLcnSR51yB3l1G:e6Wq4aaE6KwyF5L0Y2D1PqLt5sBvG

Score

10^/10

njrat evasion persistence trojan upx

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

WinUpdat.exesvchost.exe

pid process

1044 WinUpdat.exe
516 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1320 netsh.exe

pid	process
1044	WinUpdat.exe
516	svchost.exe

pid	process
1320	netsh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1152-60-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1152-62-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Drops startup file 4 IoCs

Processes:

WScript.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8cc5db40eb97299bd658a6eaa7488f79.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8cc5db40eb97299bd658a6eaa7488f79.exe	svchost.exe

Loads dropped DLL 1 IoCs

Processes:

4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe

pid process

1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe

pid	process
1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exesvchost.exeWinUpdat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinUpdat = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdat.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Local\\10.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\8cc5db40eb97299bd658a6eaa7488f79 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cc5db40eb97299bd658a6eaa7488f79 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Local\\10.exe"	WinUpdat.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdat = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdat.vbs\""	WScript.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1152-60-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1152-62-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe
Token: 33	516	svchost.exe
Token: SeIncBasePriorityPrivilege	516	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exeWinUpdat.exesvchost.exe

description	pid	process	target process
PID 1152 wrote to memory of 1044	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WinUpdat.exe
PID 1152 wrote to memory of 1044	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WinUpdat.exe
PID 1152 wrote to memory of 1044	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WinUpdat.exe
PID 1152 wrote to memory of 1044	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WinUpdat.exe
PID 1152 wrote to memory of 1308	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WScript.exe
PID 1152 wrote to memory of 1308	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WScript.exe
PID 1152 wrote to memory of 1308	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WScript.exe
PID 1152 wrote to memory of 1308	1152	4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe	WScript.exe
PID 1044 wrote to memory of 516	1044	WinUpdat.exe	svchost.exe
PID 1044 wrote to memory of 516	1044	WinUpdat.exe	svchost.exe
PID 1044 wrote to memory of 516	1044	WinUpdat.exe	svchost.exe
PID 516 wrote to memory of 1320	516	svchost.exe	netsh.exe
PID 516 wrote to memory of 1320	516	svchost.exe	netsh.exe
PID 516 wrote to memory of 1320	516	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
"C:\Users\Admin\AppData\Local\Temp\4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"
2⤵
- Drops startup file
- Adds Run key to start application
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
Filesize
34KB

MD5
1a6459624ba5b71bcf976bf8373c21ea

SHA1
fdc3cfdefae69381f9593bbe0a80f06081ee8562

SHA256
65194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da

SHA512
b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
Filesize
34KB

MD5
1a6459624ba5b71bcf976bf8373c21ea

SHA1
fdc3cfdefae69381f9593bbe0a80f06081ee8562

SHA256
65194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da

SHA512
b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs
Filesize
41KB

MD5
42d2072ef26e5e85b3eefd7913797d17

SHA1
3d9440e20655e9afb8bcbce247f239f52f615392

SHA256
f7b68b8fa35ee0b28b40f2a207a276a3d0e7307e9ac74109fc7979585f3e33ca

SHA512
73e2c5715c7106f298bfd6d4fb875c04a5d97e92c765daaa5cbf61a15a447496c4b6e1113e0860a4b07fea1cc687f9e55c698990d23bf4ace2814e96a6328210

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
34KB

MD5
1a6459624ba5b71bcf976bf8373c21ea

SHA1
fdc3cfdefae69381f9593bbe0a80f06081ee8562

SHA256
65194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da

SHA512
b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
34KB

MD5
1a6459624ba5b71bcf976bf8373c21ea

SHA1
fdc3cfdefae69381f9593bbe0a80f06081ee8562

SHA256
65194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da

SHA512
b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda

Download Submit
\Users\Admin\AppData\Local\Temp\WinUpdat.exe
Filesize
34KB

MD5
1a6459624ba5b71bcf976bf8373c21ea

SHA1
fdc3cfdefae69381f9593bbe0a80f06081ee8562

SHA256
65194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da

SHA512
b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda

Download Submit
memory/516-71-0x00000000011B0000-0x00000000011BE000-memory.dmp

Filesize
56KB

Download
memory/516-68-0x0000000000000000-mapping.dmp

Download
memory/1044-67-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/1044-65-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1044-66-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1044-59-0x0000000001260000-0x000000000126E000-memory.dmp

Filesize
56KB

Download
memory/1044-56-0x0000000000000000-mapping.dmp

Download
memory/1152-62-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1152-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1152-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1308-61-0x0000000000000000-mapping.dmp

Download
memory/1320-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads