njrat | 1223f6a7ef9f4838631c9640c9552c66d61023283711f7e9b63b4d59014a0014

General

Target

534a46e4d4b274dfd5366ceba0e5ce88.exe
Size

339KB
MD5

534a46e4d4b274dfd5366ceba0e5ce88
SHA1

425805bb6f46b4496cd8234c8fb34c420f62f9a1
SHA256

1223f6a7ef9f4838631c9640c9552c66d61023283711f7e9b63b4d59014a0014
SHA512

53a88fa01aa85c0b174856ac4c5414053d9f774764920d5d32f82354e366014f636d85add9acabe13f7034139a1732ece045d782dfd70a80e58f4b49ddfb9849
SSDEEP

768:LevMNOunYSLjLEOHEn6fM1kF8amfIT3r5Wn/wZLkne43tgem4Kgo:ivA3LBixaZTdM/+gneGa66

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4356	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	534a46e4d4b274dfd5366ceba0e5ce88.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	sim.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5ac58aecaac9924983862e16c6881067 = "\"C:\\Users\\Admin\\AppData\\Roaming\\sim.exe\" .."	sim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ac58aecaac9924983862e16c6881067 = "\"C:\\Users\\Admin\\AppData\\Roaming\\sim.exe\" .."	sim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	534a46e4d4b274dfd5366ceba0e5ce88.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	534a46e4d4b274dfd5366ceba0e5ce88.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	534a46e4d4b274dfd5366ceba0e5ce88.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe
Token: 33	1664	sim.exe
Token: SeIncBasePriorityPrivilege	1664	sim.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1664	4380	534a46e4d4b274dfd5366ceba0e5ce88.exe	98
PID 4380 wrote to memory of 1664	4380	534a46e4d4b274dfd5366ceba0e5ce88.exe	98
PID 4380 wrote to memory of 1664	4380	534a46e4d4b274dfd5366ceba0e5ce88.exe	98
PID 1664 wrote to memory of 4356	1664	sim.exe	103
PID 1664 wrote to memory of 4356	1664	sim.exe	103
PID 1664 wrote to memory of 4356	1664	sim.exe	103

C:\Users\Admin\AppData\Local\Temp\534a46e4d4b274dfd5366ceba0e5ce88.exe
"C:\Users\Admin\AppData\Local\Temp\534a46e4d4b274dfd5366ceba0e5ce88.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Roaming\sim.exe
  "C:\Users\Admin\AppData\Roaming\sim.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\sim.exe" "sim.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_247C447D981AB87548C17087CA562739

Filesize
471B

MD5
3bff57aeb78538d4f19dd6669330ec49

SHA1
e935d48489a2b71dfe644e8a28fb89efadf0cf50

SHA256
1f557a76094314ed6b49a99c2b48ea9ecec9aa77cb4cabf71bcef742c2a69616

SHA512
34424fb0ecc0ad2566535700281f440e7c689d256b8709bc89a719ee6c4526869194057039545cbb84f125ca30ee513501723146edb1711fdd7e65e15e815c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

Filesize
471B

MD5
55301526ec0e5c9c98127a0552c7314e

SHA1
efa3232f6efeafd0ffb7546c7998ca448d003c9f

SHA256
8aab71269bbe608ebb84a0ac82bc25ee46909a895747fb1d5252351770f0eee0

SHA512
1488377e7450f28cebdf68982482903c83e600932984e1a358dff8b98e13f2b5b5ea1a003e84af15081952e76a4f04fb5e699471d224482493afccb09d97d6ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_247C447D981AB87548C17087CA562739

Filesize
408B

MD5
70acfe6264c323cba95f8c091be2b696

SHA1
bebee9c7e37a3c8f982e60111a1df0c7d35d5226

SHA256
28d3af85b48e40c347b655ad89cdabb56a440e78560d11c1c73375b33175da40

SHA512
7e2b2455379625327bdd3d8767860392d52d58816fbcebc1cc1eac6c3b0de03f5e41e1a2f5fc55b98aa6bfbd22e3f3d620390cc6033b123a82c2854340cb5a18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

Filesize
400B

MD5
56558ded0d8262bb19b1a25f347cea62

SHA1
fe26176bf783e3f331701a04ce6e86c7398e2ce9

SHA256
9d733d2ec58c9104068f0b8bd8aa9720367f0b676ad484968f24be0d6628f078

SHA512
6820cb1139243f8c2bd97b3a2c1655128735b67c860775c8808ff286b54892b3786278ab17f0be57370b0777753ef0d14d31bc1d5585827d5472d54dc13b2515

Download Submit
C:\Users\Admin\AppData\Roaming\sim.exe

Filesize
339KB

MD5
534a46e4d4b274dfd5366ceba0e5ce88

SHA1
425805bb6f46b4496cd8234c8fb34c420f62f9a1

SHA256
1223f6a7ef9f4838631c9640c9552c66d61023283711f7e9b63b4d59014a0014

SHA512
53a88fa01aa85c0b174856ac4c5414053d9f774764920d5d32f82354e366014f636d85add9acabe13f7034139a1732ece045d782dfd70a80e58f4b49ddfb9849

Download Submit
memory/1664-24-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/1664-30-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1664-23-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1664-31-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1664-32-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/4380-25-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4380-0-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4380-2-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/4380-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads