njrat | 97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1

Analysis

max time kernel
151s
max time network
172s
platform
windows7_x64
resource
win7v20210408
submitted
03-09-2021 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe
Size

220KB
MD5

ea9bf7fd66e692a233b8252c9c64a879
SHA1

06f8c1cab06d866b3ed0522b380bf08e866b9f74
SHA256

97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1
SHA512

f4c6d42c6b5b5c429bd5fc36a452ac10a88801f6ff9971b260d9d6256dfdbe2fd40442d2b39dbd8f7a708a7202cfa49d6da1900de23d3b7a094b041da4806437

Score

10^/10

njrat hello evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hello

configpaid.hopto.org:1177

Mutex

2918d83a8048748f66be3a548e28d02b

Attributes

reg_key
2918d83a8048748f66be3a548e28d02b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

LocalGuLdFkXIcf.exeLocalWLOBDOjYtu..exeLocalWLOBDOjYtu..exeexplorer.exe

pid process

1940 LocalGuLdFkXIcf.exe
1088 LocalWLOBDOjYtu..exe
932 LocalWLOBDOjYtu..exe
428 explorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 2 IoCs

Processes:

LocalWLOBDOjYtu..exeLocalGuLdFkXIcf.exe

pid process

1088 LocalWLOBDOjYtu..exe
1940 LocalGuLdFkXIcf.exe

pid	process
1940	LocalGuLdFkXIcf.exe
1088	LocalWLOBDOjYtu..exe
932	LocalWLOBDOjYtu..exe
428	explorer.exe

pid	process
1088	LocalWLOBDOjYtu..exe
1940	LocalGuLdFkXIcf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

LocalWLOBDOjYtu..exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\winstart = "C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe"	LocalWLOBDOjYtu..exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

LocalWLOBDOjYtu..exe

description pid process target process

PID 1088 set thread context of 932 1088 LocalWLOBDOjYtu..exe LocalWLOBDOjYtu..exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1088 set thread context of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

LocalWLOBDOjYtu..exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1088	LocalWLOBDOjYtu..exe
Token: SeDebugPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe
Token: 33	428	explorer.exe
Token: SeIncBasePriorityPrivilege	428	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exeLocalWLOBDOjYtu..exeLocalGuLdFkXIcf.exeexplorer.exe

description	pid	process	target process
PID 1028 wrote to memory of 1940	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalGuLdFkXIcf.exe
PID 1028 wrote to memory of 1940	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalGuLdFkXIcf.exe
PID 1028 wrote to memory of 1940	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalGuLdFkXIcf.exe
PID 1028 wrote to memory of 1940	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalGuLdFkXIcf.exe
PID 1028 wrote to memory of 1088	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalWLOBDOjYtu..exe
PID 1028 wrote to memory of 1088	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalWLOBDOjYtu..exe
PID 1028 wrote to memory of 1088	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalWLOBDOjYtu..exe
PID 1028 wrote to memory of 1088	1028	97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1088 wrote to memory of 932	1088	LocalWLOBDOjYtu..exe	LocalWLOBDOjYtu..exe
PID 1940 wrote to memory of 428	1940	LocalGuLdFkXIcf.exe	explorer.exe
PID 1940 wrote to memory of 428	1940	LocalGuLdFkXIcf.exe	explorer.exe
PID 1940 wrote to memory of 428	1940	LocalGuLdFkXIcf.exe	explorer.exe
PID 1940 wrote to memory of 428	1940	LocalGuLdFkXIcf.exe	explorer.exe
PID 428 wrote to memory of 2020	428	explorer.exe	netsh.exe
PID 428 wrote to memory of 2020	428	explorer.exe	netsh.exe
PID 428 wrote to memory of 2020	428	explorer.exe	netsh.exe
PID 428 wrote to memory of 2020	428	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe
"C:\Users\Admin\AppData\Local\Temp\97f16cb54032228dd889ddec3499dec6b6ba825a7a337a9937b75802a34bd2a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\LocalGuLdFkXIcf.exe
"C:\Users\Admin\AppData\LocalGuLdFkXIcf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
4⤵
PID:2020

C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe
"C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe
"C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalGuLdFkXIcf.exe
MD5
cb4515bb6c4b95396f86de24987cb83a

SHA1
b9174c1718bb7fb3ace3eb0a5a349058d1ee968c

SHA256
ff335976b1f70abe0b802fbbc3076cb6627d63ea20275358702faa7015812d86

SHA512
a76b9ae1da077af8e48e9fe1030c2d45a2f623c57ac54bb7ad096528721ae5e9f7ad3be0073e9e302c43cb0c7a83617d09c907083e0943c9ce3eb9590565e037

Download Submit
C:\Users\Admin\AppData\LocalGuLdFkXIcf.exe
MD5
cb4515bb6c4b95396f86de24987cb83a

SHA1
b9174c1718bb7fb3ace3eb0a5a349058d1ee968c

SHA256
ff335976b1f70abe0b802fbbc3076cb6627d63ea20275358702faa7015812d86

SHA512
a76b9ae1da077af8e48e9fe1030c2d45a2f623c57ac54bb7ad096528721ae5e9f7ad3be0073e9e302c43cb0c7a83617d09c907083e0943c9ce3eb9590565e037

Download Submit
C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe
MD5
3ade012c1cc1514ef18bb522c126a9ce

SHA1
a44265035790b3229a50a3045ef85302f30a66e7

SHA256
55149a9b02884fe1814cb36d0b1aeba7f1a844f06510992bb0003001329af430

SHA512
7248ec38ecc58327a8f1f17675d9d41a1359bc5717e0add28a27aa866eabffaba6cffa84f0a2e5498177552f8f0455d58acc181c6143f1bc89d8b3a58aa7d5ab

Download Submit
C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe
MD5
3ade012c1cc1514ef18bb522c126a9ce

SHA1
a44265035790b3229a50a3045ef85302f30a66e7

SHA256
55149a9b02884fe1814cb36d0b1aeba7f1a844f06510992bb0003001329af430

SHA512
7248ec38ecc58327a8f1f17675d9d41a1359bc5717e0add28a27aa866eabffaba6cffa84f0a2e5498177552f8f0455d58acc181c6143f1bc89d8b3a58aa7d5ab

Download Submit
C:\Users\Admin\AppData\LocalWLOBDOjYtu..exe
MD5
3ade012c1cc1514ef18bb522c126a9ce

SHA1
a44265035790b3229a50a3045ef85302f30a66e7

SHA256
55149a9b02884fe1814cb36d0b1aeba7f1a844f06510992bb0003001329af430

SHA512
7248ec38ecc58327a8f1f17675d9d41a1359bc5717e0add28a27aa866eabffaba6cffa84f0a2e5498177552f8f0455d58acc181c6143f1bc89d8b3a58aa7d5ab

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
cb4515bb6c4b95396f86de24987cb83a

SHA1
b9174c1718bb7fb3ace3eb0a5a349058d1ee968c

SHA256
ff335976b1f70abe0b802fbbc3076cb6627d63ea20275358702faa7015812d86

SHA512
a76b9ae1da077af8e48e9fe1030c2d45a2f623c57ac54bb7ad096528721ae5e9f7ad3be0073e9e302c43cb0c7a83617d09c907083e0943c9ce3eb9590565e037

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
cb4515bb6c4b95396f86de24987cb83a

SHA1
b9174c1718bb7fb3ace3eb0a5a349058d1ee968c

SHA256
ff335976b1f70abe0b802fbbc3076cb6627d63ea20275358702faa7015812d86

SHA512
a76b9ae1da077af8e48e9fe1030c2d45a2f623c57ac54bb7ad096528721ae5e9f7ad3be0073e9e302c43cb0c7a83617d09c907083e0943c9ce3eb9590565e037

Download Submit
\Users\Admin\AppData\LocalWLOBDOjYtu..exe
MD5
3ade012c1cc1514ef18bb522c126a9ce

SHA1
a44265035790b3229a50a3045ef85302f30a66e7

SHA256
55149a9b02884fe1814cb36d0b1aeba7f1a844f06510992bb0003001329af430

SHA512
7248ec38ecc58327a8f1f17675d9d41a1359bc5717e0add28a27aa866eabffaba6cffa84f0a2e5498177552f8f0455d58acc181c6143f1bc89d8b3a58aa7d5ab

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
MD5
cb4515bb6c4b95396f86de24987cb83a

SHA1
b9174c1718bb7fb3ace3eb0a5a349058d1ee968c

SHA256
ff335976b1f70abe0b802fbbc3076cb6627d63ea20275358702faa7015812d86

SHA512
a76b9ae1da077af8e48e9fe1030c2d45a2f623c57ac54bb7ad096528721ae5e9f7ad3be0073e9e302c43cb0c7a83617d09c907083e0943c9ce3eb9590565e037

Download Submit
memory/428-78-0x0000000000000000-mapping.dmp

Download
memory/428-82-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/932-70-0x000000000040419E-mapping.dmp

Download
memory/932-76-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/932-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1028-72-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/1088-74-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1088-64-0x0000000000000000-mapping.dmp

Download
memory/1940-73-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1940-60-0x0000000000000000-mapping.dmp

Download
memory/1940-63-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/2020-83-0x0000000000000000-mapping.dmp

Download