njrat | a34d8e762048f34a88be77a941e156331631ba46b77665b62599409e5f6b07e0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/04/2023, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
Size

162KB
MD5

b2819adb9fe4d3eeaeb20e5a85c2e9cc
SHA1

7d39dff8804c15de1d0f980a8d7f3f1d8b23f57a
SHA256

0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2
SHA512

1e46f40ab6f1d50050bd040deea79d62d1fefba14d1a5640e053370f551003b88f59107a96ac52e44527c1ac22b23ad907d85ad871a9f4b23bd8c8d9f056e163
SSDEEP

3072:acd5j/fy8unPte+2lLF6Qd0E5rpevb0S2:Nd1+2lcQdH/4bu

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	yecm.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	yecm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4824	schtasks.exe
3712	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4756	TASKKILL.exe
4544	TASKKILL.exe
4540	TASKKILL.exe
4744	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
Token: SeDebugPrivilege	4744	TASKKILL.exe
Token: SeDebugPrivilege	4756	TASKKILL.exe
Token: SeDebugPrivilege	5028	yecm.exe
Token: SeDebugPrivilege	4540	TASKKILL.exe
Token: SeDebugPrivilege	4544	TASKKILL.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe
Token: 33	5028	yecm.exe
Token: SeIncBasePriorityPrivilege	5028	yecm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4752	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	66
PID 5112 wrote to memory of 4752	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	66
PID 5112 wrote to memory of 4752	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	66
PID 5112 wrote to memory of 4824	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	68
PID 5112 wrote to memory of 4824	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	68
PID 5112 wrote to memory of 4824	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	68
PID 5112 wrote to memory of 4744	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	70
PID 5112 wrote to memory of 4744	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	70
PID 5112 wrote to memory of 4744	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	70
PID 5112 wrote to memory of 4756	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	71
PID 5112 wrote to memory of 4756	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	71
PID 5112 wrote to memory of 4756	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	71
PID 5112 wrote to memory of 5028	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	75
PID 5112 wrote to memory of 5028	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	75
PID 5112 wrote to memory of 5028	5112	0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe	75
PID 5028 wrote to memory of 4420	5028	yecm.exe	76
PID 5028 wrote to memory of 4420	5028	yecm.exe	76
PID 5028 wrote to memory of 4420	5028	yecm.exe	76
PID 5028 wrote to memory of 3712	5028	yecm.exe	78
PID 5028 wrote to memory of 3712	5028	yecm.exe	78
PID 5028 wrote to memory of 3712	5028	yecm.exe	78
PID 5028 wrote to memory of 4540	5028	yecm.exe	83
PID 5028 wrote to memory of 4540	5028	yecm.exe	83
PID 5028 wrote to memory of 4540	5028	yecm.exe	83
PID 5028 wrote to memory of 4544	5028	yecm.exe	82
PID 5028 wrote to memory of 4544	5028	yecm.exe	82
PID 5028 wrote to memory of 4544	5028	yecm.exe	82

C:\Users\Admin\AppData\Local\Temp\0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe
"C:\Users\Admin\AppData\Local\Temp\0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  PID:4752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2.exe" /sc minute /mo 5
  2⤵
  - Creates scheduled task(s)
  PID:4824
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Users\Admin\yecm.exe
  "C:\Users\Admin\yecm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\yecm.exe" /sc minute /mo 5
    3⤵
    - Creates scheduled task(s)
    PID:3712
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yecm.exe

Filesize
162KB

MD5
b2819adb9fe4d3eeaeb20e5a85c2e9cc

SHA1
7d39dff8804c15de1d0f980a8d7f3f1d8b23f57a

SHA256
0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2

SHA512
1e46f40ab6f1d50050bd040deea79d62d1fefba14d1a5640e053370f551003b88f59107a96ac52e44527c1ac22b23ad907d85ad871a9f4b23bd8c8d9f056e163

Download Submit
C:\Users\Admin\yecm.exe

Filesize
162KB

MD5
b2819adb9fe4d3eeaeb20e5a85c2e9cc

SHA1
7d39dff8804c15de1d0f980a8d7f3f1d8b23f57a

SHA256
0688dbd736e5a0e53024ee30cd2bcf205fcabc8d2a9800455572b1babe028fa2

SHA512
1e46f40ab6f1d50050bd040deea79d62d1fefba14d1a5640e053370f551003b88f59107a96ac52e44527c1ac22b23ad907d85ad871a9f4b23bd8c8d9f056e163

Download Submit
memory/5028-133-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/5028-132-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/5028-134-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/5028-135-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/5028-136-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/5028-137-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/5112-123-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/5112-124-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/5112-125-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/5112-122-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/5112-121-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/5112-120-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download