njrat | 270ce36f6d56dc4cc4252d2a2c5b2cb2b240dc3d87c02068b072b1620ea4267e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

55KB
MD5

4f0249929ce845b18b7f909ed29ff4e4
SHA1

a6f0627d3b5d45b2481bdf7be97865ec06774c94
SHA256

016a72d36bc45f96e4149849cdd1b60d573736f8268033b23bf7fe7a33cf0d9b
SHA512

a5aef8e4e192f6f8caad15c1493e8d38a017f05c6a9f466e1840fe657bee760b69a5c52881e9e6e950fd9e71ea527de302b879870616794f7b8e4f72d80e1bd3
SSDEEP

1536:0GLu8DnN8N1+S1Cl/BODuwsNMDmXExI3pmNm:S8DnNGcXODuwsNMDmXExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe
236	Payload.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
236	Payload.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: SeShutdownPrivilege	1148	shutdown.exe
Token: SeRemoteShutdownPrivilege	1148	shutdown.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	3016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3016	AUDIODG.EXE
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe
Token: 33	236	Payload.exe
Token: SeIncBasePriorityPrivilege	236	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 1820	236	Payload.exe	81
PID 236 wrote to memory of 1820	236	Payload.exe	81
PID 236 wrote to memory of 1820	236	Payload.exe	81
PID 1820 wrote to memory of 1148	1820	cmd.exe	83
PID 1820 wrote to memory of 1148	1820	cmd.exe	83
PID 1820 wrote to memory of 1148	1820	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c shutdown /s /f /t 60
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /s /f /t 60
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt
1⤵
PID:4124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/236-0-0x0000000073D41000-0x0000000073D42000-memory.dmp

Filesize
4KB

Download
memory/236-1-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-2-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-3-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-4-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-5-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-6-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-7-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download
memory/236-8-0x0000000073D40000-0x00000000742F0000-memory.dmp

Filesize
5.7MB

Download