njrat | 6ae78f6d033a71828e1c27fbc946eb2e54bbb1bbaf54f541bcb89b4923d4baf8

General

Target

Xenos/Xenos.exe

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Xenos.exesvchost.exesvhost.exe

pid process

1408 Xenos.exe
1668 svchost.exe
672 svhost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Xenos.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Xenos.exe

pid	process
1408	Xenos.exe
1668	svchost.exe
672	svhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Xenos.exe

Drops startup file 2 IoCs

Processes:

svhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe	svhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

svchost.exesvhost.exe

pid	process
1668	svchost.exe
1668	svchost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe
672	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Xenos.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Xenos.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Xenos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Xenos.exeXenos.exesvchost.exe

pid	process
3692	Xenos.exe
3692	Xenos.exe
3692	Xenos.exe
1408	Xenos.exe
1408	Xenos.exe
1408	Xenos.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Xenos.exeXenos.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	3692	Xenos.exe
Token: SeDebugPrivilege	1408	Xenos.exe
Token: SeDebugPrivilege	1668	svchost.exe
Token: SeDebugPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe
Token: 33	672	svhost.exe
Token: SeIncBasePriorityPrivilege	672	svhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvhost.exe

pid process

1668 svchost.exe
672 svhost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Xenos.exesvchost.exesvhost.exe

description	pid	process	target process
PID 3692 wrote to memory of 1408	3692	Xenos.exe	Xenos.exe
PID 3692 wrote to memory of 1408	3692	Xenos.exe	Xenos.exe
PID 3692 wrote to memory of 1668	3692	Xenos.exe	svchost.exe
PID 3692 wrote to memory of 1668	3692	Xenos.exe	svchost.exe
PID 3692 wrote to memory of 1668	3692	Xenos.exe	svchost.exe
PID 1668 wrote to memory of 672	1668	svchost.exe	svhost.exe
PID 1668 wrote to memory of 672	1668	svchost.exe	svhost.exe
PID 1668 wrote to memory of 672	1668	svchost.exe	svhost.exe
PID 672 wrote to memory of 3180	672	svhost.exe	netsh.exe
PID 672 wrote to memory of 3180	672	svhost.exe	netsh.exe
PID 672 wrote to memory of 3180	672	svhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\Xenos.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE
4⤵
PID:3180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xenos.exe.log
MD5
7ff3b62c81e5e159eab190ddfdc19db8

SHA1
9097c5a644a987927dc04a0cb6a2acbc6713c8af

SHA256
9309eb301bcf03d8e91c39cbf50cd4ca06b609e6d1e97fd319f73a05ba64b084

SHA512
0e70e37ba50f30298f09ae300d607d7803c720acbac390b8aeba3a3bd5c69078f738076208feab530458f982912fe9974e9b0938da03afb14c7b16a252f9dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xenos.exe
MD5
9770eeb89c8b147f388d92bc00a395e2

SHA1
b5a2b3d477198af7ae67723be36084985ff22b8e

SHA256
34a098fd2d55e4c58923eecf1e1054158ceacc3ab818d07745d6275404b8ef9a

SHA512
f214850304362816cc9a475cbc5b44f39d072a8299798e7015b44e57f84fb7f28d98f44e7a1cd9140f833179ce4ea6d903332c70401a4653f95d8767636e50a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xenos.exe
MD5
9770eeb89c8b147f388d92bc00a395e2

SHA1
b5a2b3d477198af7ae67723be36084985ff22b8e

SHA256
34a098fd2d55e4c58923eecf1e1054158ceacc3ab818d07745d6275404b8ef9a

SHA512
f214850304362816cc9a475cbc5b44f39d072a8299798e7015b44e57f84fb7f28d98f44e7a1cd9140f833179ce4ea6d903332c70401a4653f95d8767636e50a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
memory/672-137-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/672-134-0x0000000000000000-mapping.dmp

Download
memory/1408-120-0x0000000000000000-mapping.dmp

Download
memory/1408-132-0x00000000030A4000-0x00000000030A6000-memory.dmp

Filesize
8KB

Download
memory/1408-123-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1408-128-0x00000000030A0000-0x00000000030A2000-memory.dmp

Filesize
8KB

Download
memory/1408-129-0x00000000030A2000-0x00000000030A4000-memory.dmp

Filesize
8KB

Download
memory/1408-133-0x00000000030A6000-0x00000000030A8000-memory.dmp

Filesize
8KB

Download
memory/1668-131-0x0000000004201000-0x0000000004202000-memory.dmp

Filesize
4KB

Download
memory/1668-125-0x0000000000000000-mapping.dmp

Download
memory/3180-138-0x0000000000000000-mapping.dmp

Download
memory/3692-114-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3692-119-0x00000000024F6000-0x00000000024F8000-memory.dmp

Filesize
8KB

Download
memory/3692-118-0x00000000024F4000-0x00000000024F6000-memory.dmp

Filesize
8KB

Download
memory/3692-117-0x00000000024F2000-0x00000000024F4000-memory.dmp

Filesize
8KB

Download
memory/3692-116-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads