njrat | 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2

General

Target

5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Size

56KB
MD5

62554290b10d37c8426531078482e7ff
SHA1

0fa75fd1a5f182de0d6ff56839c657184eeaeaff
SHA256

5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2
SHA512

c51249f214984cd5da9af417906a13334dc28d264a08d02963975380fbb3f4b9b9f83fe992767ac0cd9574999a2f36542ed25ee38e193fa7b83cc6283d7ae1d3
SSDEEP

1536:XvvqylRHMH/Jtakr8KCxEhDYcEb08+D9V2vPscWu:fvVa+krSxuDIvi9+Psbu

Score

10^/10

njrat evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe
1376	powershell.exe
1744	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
896	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
2640	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe

Loads dropped DLL 3 IoCs

pid	Process
1972	taskeng.exe
1972	taskeng.exe
1972	taskeng.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2908	powershell.exe
1376	powershell.exe
1744	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeDebugPrivilege	2656	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeDebugPrivilege	2640	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: 33	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Token: SeIncBasePriorityPrivilege	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2908	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	31
PID 2936 wrote to memory of 2908	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	31
PID 2936 wrote to memory of 2908	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	31
PID 2936 wrote to memory of 1376	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	33
PID 2936 wrote to memory of 1376	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	33
PID 2936 wrote to memory of 1376	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	33
PID 2936 wrote to memory of 1744	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	35
PID 2936 wrote to memory of 1744	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	35
PID 2936 wrote to memory of 1744	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	35
PID 2936 wrote to memory of 1708	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	37
PID 2936 wrote to memory of 1708	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	37
PID 2936 wrote to memory of 1708	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	37
PID 2936 wrote to memory of 896	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	39
PID 2936 wrote to memory of 896	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	39
PID 2936 wrote to memory of 896	2936	5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe	39
PID 1972 wrote to memory of 2656	1972	taskeng.exe	42
PID 1972 wrote to memory of 2656	1972	taskeng.exe	42
PID 1972 wrote to memory of 2656	1972	taskeng.exe	42
PID 1972 wrote to memory of 2640	1972	taskeng.exe	43
PID 1972 wrote to memory of 2640	1972	taskeng.exe	43
PID 1972 wrote to memory of 2640	1972	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
"C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2" /tr "C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1708
- C:\Windows\system32\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe" "5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:896

C:\Windows\system32\taskeng.exe
taskeng.exe {AC922870-B78F-4345-A597-B299E787AC46} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
  C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
  C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0afc0bb6e9f2695508854fb8771a9417

SHA1
4f6574816bbed91ef44eab61040d5126e82226cb

SHA256
197efa79f2a452be13fb5f44138e884f0d7fbd1e24c767619951f966cd6c522d

SHA512
27d41f5d20c2b2a845aff0ab7712e69684f075534047d558eb574d01a61ba1052ba8cf16130a99247dc0cf41ae8ca066235188cce5211519607525ecf3e00007

Download Submit
\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe

Filesize
56KB

MD5
62554290b10d37c8426531078482e7ff

SHA1
0fa75fd1a5f182de0d6ff56839c657184eeaeaff

SHA256
5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2

SHA512
c51249f214984cd5da9af417906a13334dc28d264a08d02963975380fbb3f4b9b9f83fe992767ac0cd9574999a2f36542ed25ee38e193fa7b83cc6283d7ae1d3

Download Submit
memory/1376-17-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1376-15-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2908-7-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2908-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2936-9-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-2-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-16-0x000007FEF5E1E000-0x000007FEF5E1F000-memory.dmp

Filesize
4KB

Download
memory/2936-0-0x000007FEF5E1E000-0x000007FEF5E1F000-memory.dmp

Filesize
4KB

Download
memory/2936-24-0x000000001E320000-0x000000001E32E000-memory.dmp

Filesize
56KB

Download
memory/2936-25-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-26-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-1-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads