njrat | b1c0e35f47273a236518f43ee56c0367d8b423ca9ed8f9e7ad4a875caa47bb69

General

Target

753C707E47BCE65D32BE781EA1584E0B.exe
Size

84KB
MD5

753c707e47bce65d32be781ea1584e0b
SHA1

7b43f6a910b01553dfae51560570365e3ce9ed42
SHA256

b1c0e35f47273a236518f43ee56c0367d8b423ca9ed8f9e7ad4a875caa47bb69
SHA512

8afc2ebbc80e17e42317202e9479e0c223456cf9f0b22ccdf9fe486eff19ebf9a33a2e00c01aa81168d4ad9950c34c8d78dc2f5821702fe61874221088d3cdda

Score

10^/10

njrat nyan cat persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

narotomagic.publicvm.com:6663

Mutex

a728eeadc9774101a351e2a5b3fe9598

Attributes

reg_key
a728eeadc9774101a351e2a5b3fe9598
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

primt.exeprimt.exe

pid process

4116 primt.exe
2452 primt.exe

pid	process
4116	primt.exe
2452	primt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

753C707E47BCE65D32BE781EA1584E0B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\primt.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\primt.exe\""	753C707E47BCE65D32BE781EA1584E0B.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

753C707E47BCE65D32BE781EA1584E0B.exeprimt.exe

description	pid	process	target process
PID 4444 set thread context of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4116 set thread context of 2452	4116	primt.exe	primt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

753C707E47BCE65D32BE781EA1584E0B.exeprimt.exeprimt.exe

description	pid	process
Token: SeDebugPrivilege	4444	753C707E47BCE65D32BE781EA1584E0B.exe
Token: SeDebugPrivilege	4116	primt.exe
Token: SeDebugPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe
Token: 33	2452	primt.exe
Token: SeIncBasePriorityPrivilege	2452	primt.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

753C707E47BCE65D32BE781EA1584E0B.exe753C707E47BCE65D32BE781EA1584E0B.exeprimt.exe

description	pid	process	target process
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4444 wrote to memory of 4916	4444	753C707E47BCE65D32BE781EA1584E0B.exe	753C707E47BCE65D32BE781EA1584E0B.exe
PID 4916 wrote to memory of 4116	4916	753C707E47BCE65D32BE781EA1584E0B.exe	primt.exe
PID 4916 wrote to memory of 4116	4916	753C707E47BCE65D32BE781EA1584E0B.exe	primt.exe
PID 4916 wrote to memory of 4116	4916	753C707E47BCE65D32BE781EA1584E0B.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe
PID 4116 wrote to memory of 2452	4116	primt.exe	primt.exe

C:\Users\Admin\AppData\Local\Temp\753C707E47BCE65D32BE781EA1584E0B.exe
"C:\Users\Admin\AppData\Local\Temp\753C707E47BCE65D32BE781EA1584E0B.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\753C707E47BCE65D32BE781EA1584E0B.exe
C:\Users\Admin\AppData\Local\Temp\753C707E47BCE65D32BE781EA1584E0B.exe
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Roaming\primt.exe
"C:\Users\Admin\AppData\Roaming\primt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Roaming\primt.exe
C:\Users\Admin\AppData\Roaming\primt.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\753C707E47BCE65D32BE781EA1584E0B.exe.log
MD5
0fd7fe88736c9a4c8ec918b1552b85ac

SHA1
9882bb999e92b1330bb88f202eb7367161fe4a51

SHA256
d15c16c1ac146263045f35409849797dce4e74095ac9057f51fe530472af13df

SHA512
0ff9ef334e4cc9fd6f1e1fdb5aa3b0a8aa13d5f674b48a74fc9ca15c8e25e1c63fd81e1c1fbed03350c4de3bd93b662cd69fd71b21b7be50a45ca1b536f8cb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\primt.exe.log
MD5
0fd7fe88736c9a4c8ec918b1552b85ac

SHA1
9882bb999e92b1330bb88f202eb7367161fe4a51

SHA256
d15c16c1ac146263045f35409849797dce4e74095ac9057f51fe530472af13df

SHA512
0ff9ef334e4cc9fd6f1e1fdb5aa3b0a8aa13d5f674b48a74fc9ca15c8e25e1c63fd81e1c1fbed03350c4de3bd93b662cd69fd71b21b7be50a45ca1b536f8cb10

Download Submit
C:\Users\Admin\AppData\Roaming\primt.exe
MD5
d36a3343acdd586c9132ba5d68c726db

SHA1
edb8cd2ce6a195259f926f9914684732a5e829e8

SHA256
219806fff5fca566c72164796ab16584050a73cc80b7fa11506f9217f17e14b4

SHA512
4b9fed897ac584d0fe9f1f55e2fb84d6009130081b7d6de59a847895d3443a909b8e7dfb121996e366d5a94b66d5f7ab9b7cc58f48f6bd21d9c856df4cd1b684

Download Submit
C:\Users\Admin\AppData\Roaming\primt.exe
MD5
d36a3343acdd586c9132ba5d68c726db

SHA1
edb8cd2ce6a195259f926f9914684732a5e829e8

SHA256
219806fff5fca566c72164796ab16584050a73cc80b7fa11506f9217f17e14b4

SHA512
4b9fed897ac584d0fe9f1f55e2fb84d6009130081b7d6de59a847895d3443a909b8e7dfb121996e366d5a94b66d5f7ab9b7cc58f48f6bd21d9c856df4cd1b684

Download Submit
C:\Users\Admin\AppData\Roaming\primt.exe
MD5
d36a3343acdd586c9132ba5d68c726db

SHA1
edb8cd2ce6a195259f926f9914684732a5e829e8

SHA256
219806fff5fca566c72164796ab16584050a73cc80b7fa11506f9217f17e14b4

SHA512
4b9fed897ac584d0fe9f1f55e2fb84d6009130081b7d6de59a847895d3443a909b8e7dfb121996e366d5a94b66d5f7ab9b7cc58f48f6bd21d9c856df4cd1b684

Download Submit
memory/2452-123-0x00000000004070CE-mapping.dmp

Download
memory/2452-127-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4116-118-0x0000000000000000-mapping.dmp

Download
memory/4116-126-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/4444-116-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/4916-117-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4916-114-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4916-115-0x00000000004070CE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads