njrat | a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Size

54KB
MD5

de420b822a655e8ab818cd5c7e4041d6
SHA1

22a947003686182eff38c7bbba3fce41f0202408
SHA256

a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad
SHA512

2daee5257c9f4467445ed60b492fc64249e8e021601804198cfd89b81eb080211a5ea2cb2d8e303014d9262ac5407ac68bf9add6e78d5c3d62fac51a7dd03146
SSDEEP

768:rb6ZSuxaE2EsltBhgrzJJ3U5JSN4xWQG35bmaePD5PvjwXXJdxIEpm3g:rb6SEGtBhgBJcGqWQcGD4X3xIEpm3g

Score

10^/10

njrat discovery evasion execution trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2920	powershell.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid	Process
2704	sc.exe
1016	sc.exe
2688	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exepowershell.exesc.execmd.execmd.exesc.execmd.exesc.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

powershell.exea5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: 33	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
Token: SeIncBasePriorityPrivilege	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2900 wrote to memory of 2824	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	30
PID 2900 wrote to memory of 2824	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	30
PID 2900 wrote to memory of 2824	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	30
PID 2900 wrote to memory of 2824	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	30
PID 2824 wrote to memory of 2920	2824	cmd.exe	32
PID 2824 wrote to memory of 2920	2824	cmd.exe	32
PID 2824 wrote to memory of 2920	2824	cmd.exe	32
PID 2824 wrote to memory of 2920	2824	cmd.exe	32
PID 2900 wrote to memory of 2944	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	33
PID 2900 wrote to memory of 2944	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	33
PID 2900 wrote to memory of 2944	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	33
PID 2900 wrote to memory of 2944	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	33
PID 2944 wrote to memory of 2704	2944	cmd.exe	35
PID 2944 wrote to memory of 2704	2944	cmd.exe	35
PID 2944 wrote to memory of 2704	2944	cmd.exe	35
PID 2944 wrote to memory of 2704	2944	cmd.exe	35
PID 2900 wrote to memory of 2884	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	36
PID 2900 wrote to memory of 2884	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	36
PID 2900 wrote to memory of 2884	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	36
PID 2900 wrote to memory of 2884	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	36
PID 2884 wrote to memory of 1016	2884	cmd.exe	38
PID 2884 wrote to memory of 1016	2884	cmd.exe	38
PID 2884 wrote to memory of 1016	2884	cmd.exe	38
PID 2884 wrote to memory of 1016	2884	cmd.exe	38
PID 2900 wrote to memory of 2788	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	39
PID 2900 wrote to memory of 2788	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	39
PID 2900 wrote to memory of 2788	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	39
PID 2900 wrote to memory of 2788	2900	a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe	39
PID 2788 wrote to memory of 2688	2788	cmd.exe	41
PID 2788 wrote to memory of 2688	2788	cmd.exe	41
PID 2788 wrote to memory of 2688	2788	cmd.exe	41
PID 2788 wrote to memory of 2688	2788	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe
"C:\Users\Admin\AppData\Local\Temp\a5c90d2ae462cbb9d984a7d0913179df70a18a71617c02d360d0810c6a7c6bad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc query windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\sc.exe
    sc query windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc stop windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc stop windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\sc.exe
    sc delete windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-2-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-3-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-6-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-7-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-8-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-9-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download