njrat | 832c8490c1641d7d3f1597e7d6b95cc21d018e45a8258d1a23ac184b9ec506f4

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe
Size

431KB
MD5

0ec8c3c2398d384e8f53ce811a488b49
SHA1

6de36a097b8d734bf242a22efb0f64fc433b87cb
SHA256

644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83
SHA512

f100b7b7e5306be27f084c1347a285998b5bba1d8872167e3632797a6d6c0f94803152f56be29ee89a3a9f74da0dc5f984d14eccfd9eeb7804051a5e4999589b
SSDEEP

6144:GvuswBr11L2Ji69aOZjYqnKhTuo7Ebr9bH30+lDPt:GvuxnOo4brxH30iDPt

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 6 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4160	netsh.exe
4812	netsh.exe
4084	netsh.exe
404	netsh.exe
5056	netsh.exe
4748	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Tempxxx2as.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wallpaper.exe	Tempxxx2as.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wallpaper.exe	Tempxxx2as.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cb77538f388ec8303c2e8970f543db3fSound.exe	Tempxxx2as.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cb77538f388ec8303c2e8970f543db3fSound.exe	Tempxxx2as.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wallpaper.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cb77538f388ec8303c2e8970f543db3fSound.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2320	Tempxxx2as.exe
916	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2320	Tempxxx2as.exe
916	svchost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe
Token: 33	916	svchost.exe
Token: SeIncBasePriorityPrivilege	916	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2320	3352	644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe	87
PID 3352 wrote to memory of 2320	3352	644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe	87
PID 3352 wrote to memory of 2320	3352	644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe	87
PID 2320 wrote to memory of 4084	2320	Tempxxx2as.exe	89
PID 2320 wrote to memory of 4084	2320	Tempxxx2as.exe	89
PID 2320 wrote to memory of 4084	2320	Tempxxx2as.exe	89
PID 2320 wrote to memory of 404	2320	Tempxxx2as.exe	94
PID 2320 wrote to memory of 404	2320	Tempxxx2as.exe	94
PID 2320 wrote to memory of 404	2320	Tempxxx2as.exe	94
PID 2320 wrote to memory of 5056	2320	Tempxxx2as.exe	96
PID 2320 wrote to memory of 5056	2320	Tempxxx2as.exe	96
PID 2320 wrote to memory of 5056	2320	Tempxxx2as.exe	96
PID 2320 wrote to memory of 916	2320	Tempxxx2as.exe	98
PID 2320 wrote to memory of 916	2320	Tempxxx2as.exe	98
PID 2320 wrote to memory of 916	2320	Tempxxx2as.exe	98
PID 916 wrote to memory of 4748	916	svchost.exe	99
PID 916 wrote to memory of 4748	916	svchost.exe	99
PID 916 wrote to memory of 4748	916	svchost.exe	99
PID 916 wrote to memory of 4160	916	svchost.exe	101
PID 916 wrote to memory of 4160	916	svchost.exe	101
PID 916 wrote to memory of 4160	916	svchost.exe	101
PID 916 wrote to memory of 4812	916	svchost.exe	103
PID 916 wrote to memory of 4812	916	svchost.exe	103
PID 916 wrote to memory of 4812	916	svchost.exe	103

C:\Users\Admin\AppData\Local\Temp\644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe
"C:\Users\Admin\AppData\Local\Temp\644e22017e7ea1528dca300ff5efc8a07f8587b3b15ea079ea0b9b205b0b4d83.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Tempxxx2as.exe
  "C:\Users\Admin\AppData\Local\Tempxxx2as.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Tempxxx2as.exe" "Tempxxx2as.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4084
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Tempxxx2as.exe"
    3⤵
    - Modifies Windows Firewall
    PID:404
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Tempxxx2as.exe" "Tempxxx2as.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:5056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4748
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Modifies Windows Firewall
      PID:4160
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
43B

MD5
4802ba187eb702783325420324d69d96

SHA1
dfc40e90dad59eec53c8fb910ad2b8284baacf19

SHA256
6c20e81d3c7bf753abc41d7d98c015b7ea885bdbee69608e37135f46886e0315

SHA512
6eb830135ca3f80c36118ea2c6dedffbad4356bd962571c50ee5043c294e6052542c945702e402e0a7d8167001e14e4d32f66b348efca4e0e2856a2386a0bd77

Download Submit
C:\Users\Admin\AppData\Local\Tempxxx2as.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Local\Tempxxx2as.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Local\Tempxxx2as.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wallpaper.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cb77538f388ec8303c2e8970f543db3fSound.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
95KB

MD5
317e62c41716efa6a0cf667f5cf3f70f

SHA1
88445e82223b0fe22c60b240c734554c4be85c4f

SHA256
3ee5916bd11a7a4664c3bbe1a164e4e251e40ec4d2753fe9cc0eeaad997a066c

SHA512
10392a6419925ced9e8c881b040a4d3a8853e2f555693e0ddea3fed4e5560e32f0aab9b0c7d246d4f9352b5387d2eb449e72635a42d92a2ca3082bad49fde207

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
memory/2320-153-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/3352-145-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/3352-147-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/3352-144-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/3352-149-0x000000001ED50000-0x000000001EE50000-memory.dmp

Filesize
1024KB

Download
memory/3352-138-0x000000001EE50000-0x000000001EEF6000-memory.dmp

Filesize
664KB

Download
memory/3352-137-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/3352-133-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/3352-136-0x000000001B2F0000-0x000000001B38C000-memory.dmp

Filesize
624KB

Download
memory/3352-135-0x000000001BDF0000-0x000000001C2BE000-memory.dmp

Filesize
4.8MB

Download
memory/3352-134-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download