njrat | d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38

General

Target

d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
Size

229KB
MD5

4ea8e403e744f198c103e66e287b9731
SHA1

6ce569d8fe513df0e931a57381397f595a9062e9
SHA256

d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38
SHA512

290c665545d43f1259f51df28380a684f603244e074c28e0f7773edd9f3ece1167d589b063c692a7987761e1c624783dddd51df2381f58de8071afd206b837c9

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

alonewolf-45132.portmap.host:59129

Mutex

d17de3a1ae19a122b329daf28aa6ff3b

Attributes

reg_key
d17de3a1ae19a122b329daf28aa6ff3b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

alonewolf_nj.exealonewolf_nj.exe

pid process

2236 alonewolf_nj.exe
3416 alonewolf_nj.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2236	alonewolf_nj.exe
3416	alonewolf_nj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

alonewolf_nj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d17de3a1ae19a122b329daf28aa6ff3b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\alonewolf_nj.exe\" .."	alonewolf_nj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\d17de3a1ae19a122b329daf28aa6ff3b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\alonewolf_nj.exe\" .."	alonewolf_nj.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exealonewolf_nj.exe

description	pid	process	target process
PID 1704 set thread context of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 2236 set thread context of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

alonewolf_nj.exe

description	pid	process
Token: SeDebugPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe
Token: 33	3416	alonewolf_nj.exe
Token: SeIncBasePriorityPrivilege	3416	alonewolf_nj.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exed36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exealonewolf_nj.exealonewolf_nj.exe

description	pid	process	target process
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 1704 wrote to memory of 3240	1704	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
PID 3240 wrote to memory of 2236	3240	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	alonewolf_nj.exe
PID 3240 wrote to memory of 2236	3240	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	alonewolf_nj.exe
PID 3240 wrote to memory of 2236	3240	d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 2236 wrote to memory of 3416	2236	alonewolf_nj.exe	alonewolf_nj.exe
PID 3416 wrote to memory of 2044	3416	alonewolf_nj.exe	netsh.exe
PID 3416 wrote to memory of 2044	3416	alonewolf_nj.exe	netsh.exe
PID 3416 wrote to memory of 2044	3416	alonewolf_nj.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
"C:\Users\Admin\AppData\Local\Temp\d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe
"C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe
"{path}"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe" "alonewolf_nj.exe" ENABLE
5⤵
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\alonewolf_nj.exe.log

MD5
091b136b8b3e7fddf10bcfecedd51277

SHA1
527fe50467a4e319cc9e7218edb53103cf7afa42

SHA256
e177f6c37a031892bd33750c51d289d9de4d75eb9535c4431f6525e4842cfa74

SHA512
603c4bcc2b8f88a19a322f509a2d2af1760a3230f8d81bb88bd0b95422c86cf5ef0100b4e5618eb5feab22e2121ad6d35366c25574d13a50a14da3d2bd270da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38.exe.log

MD5
091b136b8b3e7fddf10bcfecedd51277

SHA1
527fe50467a4e319cc9e7218edb53103cf7afa42

SHA256
e177f6c37a031892bd33750c51d289d9de4d75eb9535c4431f6525e4842cfa74

SHA512
603c4bcc2b8f88a19a322f509a2d2af1760a3230f8d81bb88bd0b95422c86cf5ef0100b4e5618eb5feab22e2121ad6d35366c25574d13a50a14da3d2bd270da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe

MD5
4ea8e403e744f198c103e66e287b9731

SHA1
6ce569d8fe513df0e931a57381397f595a9062e9

SHA256
d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38

SHA512
290c665545d43f1259f51df28380a684f603244e074c28e0f7773edd9f3ece1167d589b063c692a7987761e1c624783dddd51df2381f58de8071afd206b837c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe

MD5
4ea8e403e744f198c103e66e287b9731

SHA1
6ce569d8fe513df0e931a57381397f595a9062e9

SHA256
d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38

SHA512
290c665545d43f1259f51df28380a684f603244e074c28e0f7773edd9f3ece1167d589b063c692a7987761e1c624783dddd51df2381f58de8071afd206b837c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\alonewolf_nj.exe

MD5
4ea8e403e744f198c103e66e287b9731

SHA1
6ce569d8fe513df0e931a57381397f595a9062e9

SHA256
d36ae25ddcc24e88479480cc09312c2e9cd78cc124442b5e036035f6bbe70d38

SHA512
290c665545d43f1259f51df28380a684f603244e074c28e0f7773edd9f3ece1167d589b063c692a7987761e1c624783dddd51df2381f58de8071afd206b837c9

Download Submit
memory/1704-114-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2044-128-0x0000000000000000-mapping.dmp

Download
memory/2236-119-0x0000000000000000-mapping.dmp

Download
memory/2236-126-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/3240-116-0x00000000004074AE-mapping.dmp

Download
memory/3240-118-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3240-115-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3416-123-0x00000000004074AE-mapping.dmp

Download
memory/3416-127-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads