njrat | 99f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9

General

Target

906D7922A3F3A0CC91BBD911996C92F2.exe
Size

296KB
MD5

906d7922a3f3a0cc91bbd911996c92f2
SHA1

17039ace019e1b1e403bd94a3d628abdb79d6d15
SHA256

99f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9
SHA512

d6424bd66b4223419c70bd0e70a8615e2a2fb26f798fa93e9a7aa9f9610f0382ac6fa22238375d722c93d4dbc712db7b3789a7fd773987a1e77d73f7bd0ceb53

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

doza122.con-ip.com:5552

Mutex

68a4a42151e9c45f922a140954d9441d

Attributes

reg_key
68a4a42151e9c45f922a140954d9441d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

win..exe

pid process

4084 win..exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
4084	win..exe

Drops startup file 2 IoCs

Processes:

win..exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68a4a42151e9c45f922a140954d9441d.exe	win..exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68a4a42151e9c45f922a140954d9441d.exe	win..exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

win..exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\68a4a42151e9c45f922a140954d9441d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win..exe\" .."	win..exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68a4a42151e9c45f922a140954d9441d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\win..exe\" .."	win..exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

win..exe

description	pid	process
Token: SeDebugPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe
Token: 33	4084	win..exe
Token: SeIncBasePriorityPrivilege	4084	win..exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

906D7922A3F3A0CC91BBD911996C92F2.exewin..exe

description	pid	process	target process
PID 604 wrote to memory of 4084	604	906D7922A3F3A0CC91BBD911996C92F2.exe	win..exe
PID 604 wrote to memory of 4084	604	906D7922A3F3A0CC91BBD911996C92F2.exe	win..exe
PID 4084 wrote to memory of 200	4084	win..exe	netsh.exe
PID 4084 wrote to memory of 200	4084	win..exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\906D7922A3F3A0CC91BBD911996C92F2.exe
"C:\Users\Admin\AppData\Local\Temp\906D7922A3F3A0CC91BBD911996C92F2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\win..exe
  "C:\Users\Admin\AppData\Local\Temp\win..exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\win..exe" "win..exe" ENABLE
    3⤵
    PID:200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\win..exe

MD5
906d7922a3f3a0cc91bbd911996c92f2

SHA1
17039ace019e1b1e403bd94a3d628abdb79d6d15

SHA256
99f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9

SHA512
d6424bd66b4223419c70bd0e70a8615e2a2fb26f798fa93e9a7aa9f9610f0382ac6fa22238375d722c93d4dbc712db7b3789a7fd773987a1e77d73f7bd0ceb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\win..exe

MD5
906d7922a3f3a0cc91bbd911996c92f2

SHA1
17039ace019e1b1e403bd94a3d628abdb79d6d15

SHA256
99f2ebec7674cee93ee71093bac9a16773a49a185939ea5923ae1f8f3250a9d9

SHA512
d6424bd66b4223419c70bd0e70a8615e2a2fb26f798fa93e9a7aa9f9610f0382ac6fa22238375d722c93d4dbc712db7b3789a7fd773987a1e77d73f7bd0ceb53

Download Submit
memory/200-123-0x0000000000000000-mapping.dmp

Download
memory/604-114-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/604-116-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

Filesize
24KB

Download
memory/4084-117-0x0000000000000000-mapping.dmp

Download
memory/4084-124-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads