njrat | 0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47

General

Target

0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe
Size

3.2MB
MD5

6aec790c4512fa0d76f209c095f1a8b0
SHA1

b6155ae131d5e6cfb1a8aecc581e8fc81a6c93d3
SHA256

0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47
SHA512

2014f088ae78eca2498e7f15191ad59f19f870cff858560304cb6a41a58973d94f5e755a7713f7da518e159b22b0f11c3c22cd0255b043b8c2750cfcb5ce4fca
SSDEEP

98304:zviz/27qWGq/TzuqCDl2Ptao7j5K3JS4rUNq:zviq75/Tzufd3JSnNq

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1504	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	crypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CDS.exe

Executes dropped EXE 3 IoCs

pid	Process
840	CDS.exe
1308	crypted.exe
3560	server.exe

Loads dropped DLL 1 IoCs

pid	Process
840	CDS.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc4633c7cad50e9fd5e79a99a4157416 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bc4633c7cad50e9fd5e79a99a4157416 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
840	CDS.exe
840	CDS.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: 33	4548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4548	AUDIODG.EXE
Token: SeDebugPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
840	CDS.exe
840	CDS.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 840	2208	0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe	83
PID 2208 wrote to memory of 840	2208	0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe	83
PID 2208 wrote to memory of 840	2208	0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe	83
PID 840 wrote to memory of 1308	840	CDS.exe	85
PID 840 wrote to memory of 1308	840	CDS.exe	85
PID 840 wrote to memory of 1308	840	CDS.exe	85
PID 1308 wrote to memory of 3560	1308	crypted.exe	87
PID 1308 wrote to memory of 3560	1308	crypted.exe	87
PID 1308 wrote to memory of 3560	1308	crypted.exe	87
PID 3560 wrote to memory of 1504	3560	server.exe	94
PID 3560 wrote to memory of 1504	3560	server.exe	94
PID 3560 wrote to memory of 1504	3560	server.exe	94

C:\Users\Admin\AppData\Local\Temp\0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe
"C:\Users\Admin\AppData\Local\Temp\0f231a1e2379c9f88a63df1cb034cd74ba16fad3e01691dac81279285623cf47N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
23KB

MD5
37674aec2259906c87143c48525ff5d8

SHA1
05b811ed47383847dddda3c41d1663f56526f717

SHA256
0966a18af4845bd3d8822d0ab4464d7e3290d16efc5555c380e5251d96c55342

SHA512
5730d3cec383df21bdc855c6f1581a3e29518eebc492f56fd00881dbe2b20311cfe6e5db25fab40fa8ca7d0887e00d2b8f7d5d2d9d263c2846205f3b8f23cde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
23KB

MD5
61c0c989ad550661ce0e8bbb23a476e6

SHA1
b03748232fa54f0832e0d6bed54698fb81d2cf23

SHA256
82dc6e75bca638c7d14424fac40bbf418c7577009adf493efcd68fa0a34e9a37

SHA512
3f69bac771be505a44071dcd3687219442c03cb10339dbeba7f8bc39148610351b2a76370b91462d8269aa4dc3ad73edafad1bed70f3477d7bddcb168316c08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads