njrat | 09f6b7cdce51c287cd7e6b996b89b548827d9e6960a4ac3c24ce8572bb6f2aac

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

26KB
MD5

1ea0ce92a9671c932d4839291da7d91b
SHA1

25eaa42e77e876df66961a3b7360936acd3b941f
SHA256

09f6b7cdce51c287cd7e6b996b89b548827d9e6960a4ac3c24ce8572bb6f2aac
SHA512

a349bd4fd3c6db3df8b960b06aeba81613c03c2a39d3a428ada73a10054ac3a68ffae23860d333151abedaf577445a7ca6eaff5ad018b4d5cf74573827acf655
SSDEEP

384:wLduTaZIVi/dMkt1cpDkjetHzCYe/QBY2OzRLTm3yilqr6YqbdtVvGf:um0IVi/dMc1uT5e/WsX0VvGf

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\""	1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.execmd.exePING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.exe

pid	Process
1900	PING.EXE
4816	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1900	PING.EXE

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

1.exe

description	pid	Process
Token: SeDebugPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe
Token: 33	4736	1.exe
Token: SeIncBasePriorityPrivilege	4736	1.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1.execmd.exe

description	pid	Process	procid_target
PID 4736 wrote to memory of 4816	4736	1.exe	99
PID 4736 wrote to memory of 4816	4736	1.exe	99
PID 4736 wrote to memory of 4816	4736	1.exe	99
PID 4816 wrote to memory of 1900	4816	cmd.exe	101
PID 4816 wrote to memory of 1900	4816	cmd.exe	101
PID 4816 wrote to memory of 1900	4816	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4736-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4736-1-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/4736-2-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/4736-3-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/4736-4-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4736-5-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/4736-6-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/4736-7-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4736-8-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4736-9-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4736-11-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download