njrat | 6ae78f6d033a71828e1c27fbc946eb2e54bbb1bbaf54f541bcb89b4923d4baf8

General

Target

Xenos/Xenos64.exe

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Xenos64.exesvchost.exesvhost.exe

pid process

1964 Xenos64.exe
1708 svchost.exe
552 svhost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1964	Xenos64.exe
1708	svchost.exe
552	svhost.exe

Drops startup file 2 IoCs

Processes:

svhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe	svhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe	svhost.exe

Loads dropped DLL 3 IoCs

Processes:

Xenos64.exesvchost.exe

pid process

1992 Xenos64.exe
1196
1708 svchost.exe

pid	process
1992	Xenos64.exe
1196
1708	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

svchost.exesvhost.exe

pid	process
1708	svchost.exe
1708	svchost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe
552	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 35 IoCs

Processes:

Xenos64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\ = "Xenos 64-bit injection profile"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --run %1"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe,-135"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --load %1"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Xenos64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Xenos64.exe

pid process

1964 Xenos64.exe

pid	process
1964	Xenos64.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

Xenos64.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	1964	Xenos64.exe
Token: SeLoadDriverPrivilege	1964	Xenos64.exe
Token: SeDebugPrivilege	1708	svchost.exe
Token: SeDebugPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe
Token: 33	552	svhost.exe
Token: SeIncBasePriorityPrivilege	552	svhost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

svchost.exesvhost.exeXenos64.exe

pid process

1708 svchost.exe
552 svhost.exe
1964 Xenos64.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Xenos64.exesvchost.exesvhost.exe

description	pid	process	target process
PID 1992 wrote to memory of 1964	1992	Xenos64.exe	Xenos64.exe
PID 1992 wrote to memory of 1964	1992	Xenos64.exe	Xenos64.exe
PID 1992 wrote to memory of 1964	1992	Xenos64.exe	Xenos64.exe
PID 1992 wrote to memory of 1708	1992	Xenos64.exe	svchost.exe
PID 1992 wrote to memory of 1708	1992	Xenos64.exe	svchost.exe
PID 1992 wrote to memory of 1708	1992	Xenos64.exe	svchost.exe
PID 1992 wrote to memory of 1708	1992	Xenos64.exe	svchost.exe
PID 1708 wrote to memory of 552	1708	svchost.exe	svhost.exe
PID 1708 wrote to memory of 552	1708	svchost.exe	svhost.exe
PID 1708 wrote to memory of 552	1708	svchost.exe	svhost.exe
PID 1708 wrote to memory of 552	1708	svchost.exe	svhost.exe
PID 552 wrote to memory of 1604	552	svhost.exe	netsh.exe
PID 552 wrote to memory of 1604	552	svhost.exe	netsh.exe
PID 552 wrote to memory of 1604	552	svhost.exe	netsh.exe
PID 552 wrote to memory of 1604	552	svhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE
4⤵
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
MD5
6f0dd4150efddfc20b70401479964211

SHA1
e97c802a8013b13fb91a831b779ade7c3ca6870b

SHA256
0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

SHA512
d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
\??\c:\users\admin\appdata\local\temp\svchost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
\??\c:\users\admin\appdata\local\temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
\Users\Admin\AppData\Local\Temp\Xenos64.exe
MD5
6f0dd4150efddfc20b70401479964211

SHA1
e97c802a8013b13fb91a831b779ade7c3ca6870b

SHA256
0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

SHA512
d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb

Download Submit
\Users\Admin\AppData\Local\Temp\Xenos64.exe
MD5
6f0dd4150efddfc20b70401479964211

SHA1
e97c802a8013b13fb91a831b779ade7c3ca6870b

SHA256
0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

SHA512
d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
memory/552-77-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/552-73-0x0000000000000000-mapping.dmp

Download
memory/1604-78-0x0000000000000000-mapping.dmp

Download
memory/1708-68-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1708-71-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1708-66-0x0000000000000000-mapping.dmp

Download
memory/1964-64-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1964-62-0x0000000000000000-mapping.dmp

Download
memory/1964-80-0x0000000003E80000-0x0000000003E81000-memory.dmp

Filesize
4KB

Download
memory/1992-59-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1992-65-0x000000001B200000-0x000000001B202000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads