njrat | 8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae982c8d468fbdcafdf10c4c0ea157b.exe
Size

1.7MB
MD5

cae982c8d468fbdcafdf10c4c0ea157b
SHA1

9c55cc086ac29516a17b473dd8b23c8713dfb6fc
SHA256

8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca
SHA512

7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

~__UNINST.EXEZombie's Retreat - Beta 0.13.exeCrypter.exe

pid process

2012 ~__UNINST.EXE
1776 Zombie's Retreat - Beta 0.13.exe
1792 Crypter.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2012	~__UNINST.EXE
1776	Zombie's Retreat - Beta 0.13.exe
1792	Crypter.exe

Drops startup file 2 IoCs

Processes:

Crypter.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742d9dbf218700f0b3c42d70c7e02cb9.exe	Crypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742d9dbf218700f0b3c42d70c7e02cb9.exe	Crypter.exe

Loads dropped DLL 8 IoCs

Processes:

cae982c8d468fbdcafdf10c4c0ea157b.exe~__UNINST.EXECrypter.exe

pid	process
836	cae982c8d468fbdcafdf10c4c0ea157b.exe
2012	~__UNINST.EXE
2012	~__UNINST.EXE
2012	~__UNINST.EXE
2012	~__UNINST.EXE
2012	~__UNINST.EXE
1792	Crypter.exe
1792	Crypter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Crypter.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\742d9dbf218700f0b3c42d70c7e02cb9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crypter.exe\" .."	Crypter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\742d9dbf218700f0b3c42d70c7e02cb9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crypter.exe\" .."	Crypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Crypter.exe

description	pid	process
Token: SeDebugPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe
Token: 33	1792	Crypter.exe
Token: SeIncBasePriorityPrivilege	1792	Crypter.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cae982c8d468fbdcafdf10c4c0ea157b.exe~__UNINST.EXECrypter.exe

description	pid	process	target process
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 836 wrote to memory of 2012	836	cae982c8d468fbdcafdf10c4c0ea157b.exe	~__UNINST.EXE
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1776	2012	~__UNINST.EXE	Zombie's Retreat - Beta 0.13.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 2012 wrote to memory of 1792	2012	~__UNINST.EXE	Crypter.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe
PID 1792 wrote to memory of 616	1792	Crypter.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cae982c8d468fbdcafdf10c4c0ea157b.exe
"C:\Users\Admin\AppData\Local\Temp\cae982c8d468fbdcafdf10c4c0ea157b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
"C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE" C:\Users\Admin\AppData\Local\Temp\cae982c8d468fbdcafdf10c4c0ea157b.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exe
"C:\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exe"
3⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe" ADN
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Crypter.exe" "Crypter.exe" ENABLE
4⤵
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypter.exe
MD5
a272670a02da9e6744c2172c38d9b0bf

SHA1
55bb1b38ce5632f1cd31dcda7ece7391d2ec607b

SHA256
a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc

SHA512
edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypter.exe
MD5
a272670a02da9e6744c2172c38d9b0bf

SHA1
55bb1b38ce5632f1cd31dcda7ece7391d2ec607b

SHA256
a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc

SHA512
edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exe
MD5
9ebc7dd20fa66f5deabfd8873a4ed8c6

SHA1
cf1b1da0e5215738a8e972077be5804cb326b8ed

SHA256
487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b4492da586c7bc82a9474

SHA512
5d0a052edec070ee573bc43ed9eb7eb92c0460efe60a5abc31d1200e092937b91eafce5492cd945d46645f9029f0f80a37907fe6292639d37f15f58dae377271

Download Submit
C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
MD5
cae982c8d468fbdcafdf10c4c0ea157b

SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc

SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Download Submit
C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
MD5
cae982c8d468fbdcafdf10c4c0ea157b

SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc

SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Download Submit
\Users\Admin\AppData\Local\Temp\Crypter.exe
MD5
a272670a02da9e6744c2172c38d9b0bf

SHA1
55bb1b38ce5632f1cd31dcda7ece7391d2ec607b

SHA256
a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc

SHA512
edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6

Download Submit
\Users\Admin\AppData\Local\Temp\Crypter.exe
MD5
a272670a02da9e6744c2172c38d9b0bf

SHA1
55bb1b38ce5632f1cd31dcda7ece7391d2ec607b

SHA256
a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc

SHA512
edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6

Download Submit
\Users\Admin\AppData\Local\Temp\Crypter.exe
MD5
a272670a02da9e6744c2172c38d9b0bf

SHA1
55bb1b38ce5632f1cd31dcda7ece7391d2ec607b

SHA256
a99b6d01ff63195834e87d1e6e279d2ecfd3e87c6bcb72ed4267908f0c6a65dc

SHA512
edc4f83a7b4958f1def1d4181d95ec41bf4128238f40b91813c8dbefd4c6f44fd3e653b6c73f3bc8d53dc08741804bcf673abb72b3d7814cd1a159adf695b1a6

Download Submit
\Users\Admin\AppData\Local\Temp\Zombie's Retreat - Beta 0.13.exe
MD5
9ebc7dd20fa66f5deabfd8873a4ed8c6

SHA1
cf1b1da0e5215738a8e972077be5804cb326b8ed

SHA256
487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b4492da586c7bc82a9474

SHA512
5d0a052edec070ee573bc43ed9eb7eb92c0460efe60a5abc31d1200e092937b91eafce5492cd945d46645f9029f0f80a37907fe6292639d37f15f58dae377271

Download Submit
\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
MD5
cae982c8d468fbdcafdf10c4c0ea157b

SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc

SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Download Submit
\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
MD5
cae982c8d468fbdcafdf10c4c0ea157b

SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc

SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Download Submit
\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
MD5
cae982c8d468fbdcafdf10c4c0ea157b

SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc

SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Download Submit
\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
MD5
cae982c8d468fbdcafdf10c4c0ea157b

SHA1
9c55cc086ac29516a17b473dd8b23c8713dfb6fc

SHA256
8c69c1f98bd10df34fa03d0272da010d57169ea547646a7901dc598fa83cdaca

SHA512
7542c061ecd4cae53c1e22bb065d6e3e62f29d75747d677dcf8ff09e5e9f664cde7362c758ee30cede9e115e64a5fb2c90194180c93e0bb0126d4290f51ae493

Download Submit
memory/616-27-0x0000000000000000-mapping.dmp

Download
memory/1776-10-0x0000000000000000-mapping.dmp

Download
memory/1792-19-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1792-18-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-21-0x0000000000640000-0x0000000000657000-memory.dmp

Filesize
92KB

Download
memory/1792-22-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1792-23-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/1792-13-0x0000000000000000-mapping.dmp

Download
memory/2012-3-0x0000000000000000-mapping.dmp

Download