njrat | 1ba26b7fefc227463accb9d479889d17439b7de392d09722d271641acf24b23f

General

Target

0x0009000000012314-63.exe
Size

78KB
MD5

2c3dfd707a71a723aada2ab5cb4485d6
SHA1

41357a94ad63b2f6bbe4f4f0a069d6f22a125369
SHA256

1ba26b7fefc227463accb9d479889d17439b7de392d09722d271641acf24b23f
SHA512

fe6e219e3efb0c8e0ee3a77d5dc198a43df605e9859bf5a1b41dbd8cfae929d9c684025676b80c8f5438e3e4de1d1b9a0a78bf5c5fd2005763e8d254425dcb19
SSDEEP

1536:If+qHADbDpKS5wpOk3JCK6pFo2/e6fOpd/9nEh9TGnJUR:WQwpOk5CK6pO/9ESnJU

Score

10^/10

njrat exploited++trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Exploited++

C2

salesxpert.duckdns.org:2889

Mutex

windows.exe

Attributes

reg_key
windows.exe
splitter
mnbvcxz12

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x0009000000012314-63.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0x0009000000012314-63.exe

Drops startup file 2 IoCs

Processes:

windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe	windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe	windows.exe

Executes dropped EXE 1 IoCs

Processes:

windows.exe

pid process

3040 windows.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1516 schtasks.exe
4884 schtasks.exe

pid	process
3040	windows.exe

pid	process
1516	schtasks.exe
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x0009000000012314-63.exe

pid	process
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe
5048	0x0009000000012314-63.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0x0009000000012314-63.exewindows.exe

description	pid	process
Token: SeDebugPrivilege	5048	0x0009000000012314-63.exe
Token: SeDebugPrivilege	3040	windows.exe
Token: 33	3040	windows.exe
Token: SeIncBasePriorityPrivilege	3040	windows.exe
Token: 33	3040	windows.exe
Token: SeIncBasePriorityPrivilege	3040	windows.exe
Token: 33	3040	windows.exe
Token: SeIncBasePriorityPrivilege	3040	windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0x0009000000012314-63.exewindows.exe

description	pid	process	target process
PID 5048 wrote to memory of 4280	5048	0x0009000000012314-63.exe	schtasks.exe
PID 5048 wrote to memory of 4280	5048	0x0009000000012314-63.exe	schtasks.exe
PID 5048 wrote to memory of 4280	5048	0x0009000000012314-63.exe	schtasks.exe
PID 5048 wrote to memory of 1516	5048	0x0009000000012314-63.exe	schtasks.exe
PID 5048 wrote to memory of 1516	5048	0x0009000000012314-63.exe	schtasks.exe
PID 5048 wrote to memory of 1516	5048	0x0009000000012314-63.exe	schtasks.exe
PID 5048 wrote to memory of 3040	5048	0x0009000000012314-63.exe	windows.exe
PID 5048 wrote to memory of 3040	5048	0x0009000000012314-63.exe	windows.exe
PID 5048 wrote to memory of 3040	5048	0x0009000000012314-63.exe	windows.exe
PID 3040 wrote to memory of 2620	3040	windows.exe	schtasks.exe
PID 3040 wrote to memory of 2620	3040	windows.exe	schtasks.exe
PID 3040 wrote to memory of 2620	3040	windows.exe	schtasks.exe
PID 3040 wrote to memory of 4884	3040	windows.exe	schtasks.exe
PID 3040 wrote to memory of 4884	3040	windows.exe	schtasks.exe
PID 3040 wrote to memory of 4884	3040	windows.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0x0009000000012314-63.exe
"C:\Users\Admin\AppData\Local\Temp\0x0009000000012314-63.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:4280

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\0x0009000000012314-63.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1516

C:\Users\Admin\windows.exe
"C:\Users\Admin\windows.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:2620

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\windows.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\windows.exe
Filesize
78KB

MD5
2c3dfd707a71a723aada2ab5cb4485d6

SHA1
41357a94ad63b2f6bbe4f4f0a069d6f22a125369

SHA256
1ba26b7fefc227463accb9d479889d17439b7de392d09722d271641acf24b23f

SHA512
fe6e219e3efb0c8e0ee3a77d5dc198a43df605e9859bf5a1b41dbd8cfae929d9c684025676b80c8f5438e3e4de1d1b9a0a78bf5c5fd2005763e8d254425dcb19

Download Submit
C:\Users\Admin\windows.exe
Filesize
78KB

MD5
2c3dfd707a71a723aada2ab5cb4485d6

SHA1
41357a94ad63b2f6bbe4f4f0a069d6f22a125369

SHA256
1ba26b7fefc227463accb9d479889d17439b7de392d09722d271641acf24b23f

SHA512
fe6e219e3efb0c8e0ee3a77d5dc198a43df605e9859bf5a1b41dbd8cfae929d9c684025676b80c8f5438e3e4de1d1b9a0a78bf5c5fd2005763e8d254425dcb19

Download Submit
memory/1516-133-0x0000000000000000-mapping.dmp

Download
memory/2620-139-0x0000000000000000-mapping.dmp

Download
memory/3040-153-0x00000000010E5000-0x00000000010ED000-memory.dmp

Filesize
32KB

Download
memory/3040-149-0x00000000010E9000-0x00000000010EF000-memory.dmp

Filesize
24KB

Download
memory/3040-161-0x0000000006D1C000-0x0000000006D22000-memory.dmp

Filesize
24KB

Download
memory/3040-160-0x00000000010E7000-0x00000000010EB000-memory.dmp

Filesize
16KB

Download
memory/3040-159-0x0000000006D16000-0x0000000006D1C000-memory.dmp

Filesize
24KB

Download
memory/3040-158-0x0000000006D1A000-0x0000000006D1D000-memory.dmp

Filesize
12KB

Download
memory/3040-157-0x00000000010E7000-0x00000000010ED000-memory.dmp

Filesize
24KB

Download
memory/3040-143-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3040-144-0x00000000010E9000-0x00000000010EF000-memory.dmp

Filesize
24KB

Download
memory/3040-145-0x0000000006D10000-0x0000000006D14000-memory.dmp

Filesize
16KB

Download
memory/3040-146-0x0000000006D11000-0x0000000006D15000-memory.dmp

Filesize
16KB

Download
memory/3040-147-0x00000000010E5000-0x00000000010ED000-memory.dmp

Filesize
32KB

Download
memory/3040-148-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3040-136-0x0000000000000000-mapping.dmp

Download
memory/3040-150-0x0000000006D10000-0x0000000006D14000-memory.dmp

Filesize
16KB

Download
memory/3040-151-0x0000000006D1A000-0x0000000006D1D000-memory.dmp

Filesize
12KB

Download
memory/3040-152-0x0000000006D11000-0x0000000006D15000-memory.dmp

Filesize
16KB

Download
memory/3040-156-0x00000000010E7000-0x00000000010ED000-memory.dmp

Filesize
24KB

Download
memory/3040-154-0x00000000010E7000-0x00000000010EA000-memory.dmp

Filesize
12KB

Download
memory/3040-155-0x0000000006D1D000-0x0000000006D20000-memory.dmp

Filesize
12KB

Download
memory/4280-132-0x0000000000000000-mapping.dmp

Download
memory/4884-142-0x0000000000000000-mapping.dmp

Download
memory/5048-134-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/5048-140-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/5048-141-0x0000000001689000-0x000000000168F000-memory.dmp

Filesize
24KB

Download
memory/5048-135-0x0000000001689000-0x000000000168F000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads