njrat | ae6331fbfc15c5a63072259b5810df459fad8897c017754d318ffb453fa6b53e

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

55KB
MD5

c5c8764f8f11a84f5b2045cee5e4d9f1
SHA1

f7d6a80923a7d4939d6ebb6459a7780187f47bcb
SHA256

ae6331fbfc15c5a63072259b5810df459fad8897c017754d318ffb453fa6b53e
SHA512

8df8fdfe1005203ecafb53c43bfa84560915b62bbe9816da6f95b4e44f44b4bc477617e8a6e271f39541747dad5ef092670c7a14b8cae18cf87867f8e89eaf0d
SSDEEP

1536:nKksDnHNwZ8Cam8LDdwsNMD2XExI3pmzm:tsDn6SKiDdwsNMD2XExI3pm

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba504e39d49d09ba3f0b71067d651692.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba504e39d49d09ba3f0b71067d651692.exe	2.exe

Executes dropped EXE 11 IoCs

pid	Process
1636	ac228b0d099049408610ebbffc78c02d.exe
3340	107665e6447c43429e3923c26708300e.exe
1876	37c703dba9e54735b4353acab7e7ccc6.exe
1792	5eec5e5cc9ae4733951affff44b9bb89.exe
3860	3509dbcf3f3143f5bd6211f3779a539e.exe
4616	221a4251100d40239ec72aaad01f647a.exe
2284	022b1976abbf497988159e73e94623a0.exe
4908	5fd4f035efd94213aa6d67b9dd7efc7a.exe
1164	39ab919ca1924f788d439b2eec12a038.exe
5084	c3252a7cc9974ce891da5d4e0aace9b4.exe
4988	6e093193b8c3432399640a285590fb22.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba504e39d49d09ba3f0b71067d651692 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2.exe\" .."	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ba504e39d49d09ba3f0b71067d651692 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2.exe\" .."	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe
2216	2.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	4056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4056	AUDIODG.EXE
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe
Token: 33	2216	2.exe
Token: SeIncBasePriorityPrivilege	2216	2.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1636	2216	2.exe	98
PID 2216 wrote to memory of 1636	2216	2.exe	98
PID 2216 wrote to memory of 3340	2216	2.exe	104
PID 2216 wrote to memory of 3340	2216	2.exe	104
PID 2216 wrote to memory of 1876	2216	2.exe	105
PID 2216 wrote to memory of 1876	2216	2.exe	105
PID 2216 wrote to memory of 1792	2216	2.exe	107
PID 2216 wrote to memory of 1792	2216	2.exe	107
PID 2216 wrote to memory of 3860	2216	2.exe	108
PID 2216 wrote to memory of 3860	2216	2.exe	108
PID 2216 wrote to memory of 4616	2216	2.exe	109
PID 2216 wrote to memory of 4616	2216	2.exe	109
PID 2216 wrote to memory of 2284	2216	2.exe	110
PID 2216 wrote to memory of 2284	2216	2.exe	110
PID 2216 wrote to memory of 4908	2216	2.exe	111
PID 2216 wrote to memory of 4908	2216	2.exe	111
PID 2216 wrote to memory of 1164	2216	2.exe	112
PID 2216 wrote to memory of 1164	2216	2.exe	112
PID 2216 wrote to memory of 5084	2216	2.exe	113
PID 2216 wrote to memory of 5084	2216	2.exe	113
PID 2216 wrote to memory of 4988	2216	2.exe	114
PID 2216 wrote to memory of 4988	2216	2.exe	114

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\ac228b0d099049408610ebbffc78c02d.exe
  "C:\Users\Admin\AppData\Local\Temp\ac228b0d099049408610ebbffc78c02d.exe"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\107665e6447c43429e3923c26708300e.exe
  "C:\Users\Admin\AppData\Local\Temp\107665e6447c43429e3923c26708300e.exe"
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Users\Admin\AppData\Local\Temp\37c703dba9e54735b4353acab7e7ccc6.exe
  "C:\Users\Admin\AppData\Local\Temp\37c703dba9e54735b4353acab7e7ccc6.exe"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\5eec5e5cc9ae4733951affff44b9bb89.exe
  "C:\Users\Admin\AppData\Local\Temp\5eec5e5cc9ae4733951affff44b9bb89.exe"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\3509dbcf3f3143f5bd6211f3779a539e.exe
  "C:\Users\Admin\AppData\Local\Temp\3509dbcf3f3143f5bd6211f3779a539e.exe"
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Users\Admin\AppData\Local\Temp\221a4251100d40239ec72aaad01f647a.exe
  "C:\Users\Admin\AppData\Local\Temp\221a4251100d40239ec72aaad01f647a.exe"
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\022b1976abbf497988159e73e94623a0.exe
  "C:\Users\Admin\AppData\Local\Temp\022b1976abbf497988159e73e94623a0.exe"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\5fd4f035efd94213aa6d67b9dd7efc7a.exe
  "C:\Users\Admin\AppData\Local\Temp\5fd4f035efd94213aa6d67b9dd7efc7a.exe"
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\39ab919ca1924f788d439b2eec12a038.exe
  "C:\Users\Admin\AppData\Local\Temp\39ab919ca1924f788d439b2eec12a038.exe"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\c3252a7cc9974ce891da5d4e0aace9b4.exe
  "C:\Users\Admin\AppData\Local\Temp\c3252a7cc9974ce891da5d4e0aace9b4.exe"
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\6e093193b8c3432399640a285590fb22.exe
  "C:\Users\Admin\AppData\Local\Temp\6e093193b8c3432399640a285590fb22.exe"
  2⤵
  - Executes dropped EXE
  PID:4988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\3509dbcf3f3143f5bd6211f3779a539e.exe.log

Filesize
594B

MD5
44e889763d548d09132c31ed548f63f5

SHA1
d9829a1b5841338533a0be0509df50172cce73be

SHA256
d29f0e5fe1ab31998f200d4441c0e201a2e3bd6e416f638cbee2eb55354d48cc

SHA512
a1474aaef1132f459e8139157a618368c7623f4a25a754c6fc2672d92929b9506bfcc272eebf5c69901f4140d36e740f5f6bbfb90e000c6538ab492f5aa48a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\107665e6447c43429e3923c26708300e.exe

Filesize
583KB

MD5
320b1115164e8b5e1316d86eb29cd299

SHA1
bc046d8b14359a7a2bebdecbb819e76c47d84d1b

SHA256
d88f5b00da5f05ab7f55fd7c414bb56aaf47e9f51365aaabd71f3ace3cc77523

SHA512
fab558cf31aa79caf8e4f6e5649e4e484de3e29bae1386aa61749b70e8c791d74b01fa964501d4755c7688d0420e932f30e36699a2fe4488fae82ee23558afd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac228b0d099049408610ebbffc78c02d.exe

Filesize
345KB

MD5
8efb7339fe13cf8cea9f6445776655c0

SHA1
081afd73c757c83825cf1e8ed4a4eab259d23b97

SHA256
c1badbacd2abe44fe4e8685c8eee7e983bf8b6780cfca03ae31f8fcebc98b1fb

SHA512
2a37e74aeff17b4f435d02a30019a017a4ff4fa29fc898229f6195876f53b38154c063cf052deebcc06785650f875d67eeb0de372a76df3c4e71bd4fc0392956

Download Submit
memory/1636-26-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download
memory/1636-27-0x000000001C4C0000-0x000000001C50C000-memory.dmp

Filesize
304KB

Download
memory/1636-31-0x00007FFD501B0000-0x00007FFD50B51000-memory.dmp

Filesize
9.6MB

Download
memory/1636-32-0x00007FFD501B0000-0x00007FFD50B51000-memory.dmp

Filesize
9.6MB

Download
memory/1636-29-0x00007FFD501B0000-0x00007FFD50B51000-memory.dmp

Filesize
9.6MB

Download
memory/1636-28-0x00007FFD501B0000-0x00007FFD50B51000-memory.dmp

Filesize
9.6MB

Download
memory/1636-20-0x00007FFD50465000-0x00007FFD50466000-memory.dmp

Filesize
4KB

Download
memory/1636-21-0x000000001B850000-0x000000001B8F6000-memory.dmp

Filesize
664KB

Download
memory/1636-22-0x00007FFD501B0000-0x00007FFD50B51000-memory.dmp

Filesize
9.6MB

Download
memory/1636-23-0x000000001BE70000-0x000000001C33E000-memory.dmp

Filesize
4.8MB

Download
memory/1636-24-0x00007FFD501B0000-0x00007FFD50B51000-memory.dmp

Filesize
9.6MB

Download
memory/1636-25-0x000000001C3E0000-0x000000001C47C000-memory.dmp

Filesize
624KB

Download
memory/2216-0-0x00000000746F2000-0x00000000746F3000-memory.dmp

Filesize
4KB

Download
memory/2216-5-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-4-0x00000000746F2000-0x00000000746F3000-memory.dmp

Filesize
4KB

Download
memory/2216-8-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-7-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-6-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-2-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-1-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download