njrat | 270ce36f6d56dc4cc4252d2a2c5b2cb2b240dc3d87c02068b072b1620ea4267e

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

55KB
MD5

4f0249929ce845b18b7f909ed29ff4e4
SHA1

a6f0627d3b5d45b2481bdf7be97865ec06774c94
SHA256

016a72d36bc45f96e4149849cdd1b60d573736f8268033b23bf7fe7a33cf0d9b
SHA512

a5aef8e4e192f6f8caad15c1493e8d38a017f05c6a9f466e1840fe657bee760b69a5c52881e9e6e950fd9e71ea527de302b879870616794f7b8e4f72d80e1bd3
SSDEEP

1536:0GLu8DnN8N1+S1Cl/BODuwsNMDmXExI3pmNm:S8DnNGcXODuwsNMDmXExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2780	639cd91f41344c75a85de11224554f2f.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	Payload.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe
2384	Payload.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	1104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1104	AUDIODG.EXE
Token: 33	1104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1104	AUDIODG.EXE
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe
Token: 33	2384	Payload.exe
Token: SeIncBasePriorityPrivilege	2384	Payload.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2908	mspaint.exe
2908	mspaint.exe
2908	mspaint.exe
2908	mspaint.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2780	2384	Payload.exe	34
PID 2384 wrote to memory of 2780	2384	Payload.exe	34
PID 2384 wrote to memory of 2780	2384	Payload.exe	34
PID 2384 wrote to memory of 2780	2384	Payload.exe	34

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\639cd91f41344c75a85de11224554f2f.exe
  "C:\Users\Admin\AppData\Local\Temp\639cd91f41344c75a85de11224554f2f.exe"
  2⤵
  - Executes dropped EXE
  PID:2780

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\639cd91f41344c75a85de11224554f2f.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
memory/2384-0-0x00000000740C1000-0x00000000740C2000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-3-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-4-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-5-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-6-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-7-0x000007FEF5E10000-0x000007FEF5E5C000-memory.dmp

Filesize
304KB

Download
memory/2908-8-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2908-15-0x000007FEF5E10000-0x000007FEF5E5C000-memory.dmp

Filesize
304KB

Download