njrat | 7a5ea108c883639b28770a677217474e15e8e26a141b13cefd59100f72c3a598

General

Target

6CF07AB2FF64200E8CD38602D14BC566.exe
Size

1.2MB
MD5

6cf07ab2ff64200e8cd38602d14bc566
SHA1

74edddc5fa816ecd47bb0a90b4ed605e1b8e8e6b
SHA256

7a5ea108c883639b28770a677217474e15e8e26a141b13cefd59100f72c3a598
SHA512

a47d91fb8c9f3edeb18897989f93ff8e5a2f90a4fa19f512983512238597988e5b490ebd1595dcd0aaf294c222a51d3c10da5ea013bccb0948e538ee00b8bbe1

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

4.tcp.ngrok.io:14914

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

Tempwinlogon.exe

pid process

1508 Tempwinlogon.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 2 IoCs

Processes:

cscript.exe

pid process

1216 cscript.exe
1216 cscript.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6CF07AB2FF64200E8CD38602D14BC566.exe

pid process

2000 6CF07AB2FF64200E8CD38602D14BC566.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1508	Tempwinlogon.exe

pid	process
1216	cscript.exe
1216	cscript.exe

pid	process
2000	6CF07AB2FF64200E8CD38602D14BC566.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Tempwinlogon.exe

description	pid	process
Token: SeDebugPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe
Token: 33	1508	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	1508	Tempwinlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6CF07AB2FF64200E8CD38602D14BC566.exe

pid process

2000 6CF07AB2FF64200E8CD38602D14BC566.exe

pid	process
2000	6CF07AB2FF64200E8CD38602D14BC566.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6CF07AB2FF64200E8CD38602D14BC566.execscript.exeTempwinlogon.exe

description	pid	process	target process
PID 2000 wrote to memory of 1216	2000	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 2000 wrote to memory of 1216	2000	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 2000 wrote to memory of 1216	2000	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 2000 wrote to memory of 1216	2000	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 1216 wrote to memory of 1508	1216	cscript.exe	Tempwinlogon.exe
PID 1216 wrote to memory of 1508	1216	cscript.exe	Tempwinlogon.exe
PID 1216 wrote to memory of 1508	1216	cscript.exe	Tempwinlogon.exe
PID 1216 wrote to memory of 1508	1216	cscript.exe	Tempwinlogon.exe
PID 1508 wrote to memory of 1016	1508	Tempwinlogon.exe	netsh.exe
PID 1508 wrote to memory of 1016	1508	Tempwinlogon.exe	netsh.exe
PID 1508 wrote to memory of 1016	1508	Tempwinlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6CF07AB2FF64200E8CD38602D14BC566.exe
"C:\Users\Admin\AppData\Local\Temp\6CF07AB2FF64200E8CD38602D14BC566.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cscript.exe
"cscript" C:\Users\Admin\AppData\Local\Temp\5EE2.tmp\aaa11.vbs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Tempwinlogon.exe" "Tempwinlogon.exe" ENABLE
4⤵
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5EE2.tmp\aaa11.vbs
MD5
89a247e6bf33711ef8ac5c694b3c7f77

SHA1
659da18a6a291f0a3f3b9f0d8321cc9f13c9862a

SHA256
3b0a43587507dce1d5a779521077fd0827f81a0d3b313f67f64c79f1b9687b5d

SHA512
699f4f3b8db597c92c9ee69ca7bd23e02f0470a76e9e78f27b65a8f5f2bedbd02b9b923afa557fd88dd0f196fb9b3e8bb86a4f6aa64ac1d51b60d98632840371

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
\Users\Admin\AppData\Local\Tempwinlogon.exe
MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
\Users\Admin\AppData\Local\Tempwinlogon.exe
MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
memory/1016-70-0x0000000000000000-mapping.dmp

Download
memory/1016-71-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1216-60-0x0000000000000000-mapping.dmp

Download
memory/1508-65-0x0000000000000000-mapping.dmp

Download
memory/1508-69-0x0000000001F80000-0x0000000001F82000-memory.dmp

Filesize
8KB

Download
memory/1508-68-0x000007FEF2D70000-0x000007FEF3E06000-memory.dmp

Filesize
16.6MB

Download
memory/2000-59-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing