njrat | c32577dff97968f5315c154fcfc3ea5341d23298cff5a8616c930ea91eb7637c

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1313.exe
Size

55KB
MD5

708d040a8df490185aa7a8bfd814092e
SHA1

a96d64734c89a20c81b50547e202aa00801f20ec
SHA256

c32577dff97968f5315c154fcfc3ea5341d23298cff5a8616c930ea91eb7637c
SHA512

3f54edec358b8ed8dbb60bcbfbc29f773c73aaff0a5935f44992143621afcf368f1bded568e7e1b3274829e2eb577fac2d5ca4f13e32bd5e0ee01e7deb06787a
SSDEEP

1536:WGLu8DnN8N1+S1Cl/BODuwsNMDxXExI3pm2m:Y8DnNGcXODuwsNMDxXExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2668	ddcf8d5a4e264484a78142027dde2755.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	1313.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1313.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe
Token: 33	2644	1313.exe
Token: SeIncBasePriorityPrivilege	2644	1313.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2668	2644	1313.exe	31
PID 2644 wrote to memory of 2668	2644	1313.exe	31
PID 2644 wrote to memory of 2668	2644	1313.exe	31
PID 2644 wrote to memory of 2668	2644	1313.exe	31

C:\Users\Admin\AppData\Local\Temp\1313.exe
"C:\Users\Admin\AppData\Local\Temp\1313.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\ddcf8d5a4e264484a78142027dde2755.exe
  "C:\Users\Admin\AppData\Local\Temp\ddcf8d5a4e264484a78142027dde2755.exe"
  2⤵
  - Executes dropped EXE
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ddcf8d5a4e264484a78142027dde2755.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
memory/2644-0-0x0000000073E71000-0x0000000073E72000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-3-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-4-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-5-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-12-0x000007FEF547E000-0x000007FEF547F000-memory.dmp

Filesize
4KB

Download
memory/2668-13-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-14-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-15-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-16-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download