njrat | 7a5ea108c883639b28770a677217474e15e8e26a141b13cefd59100f72c3a598

General

Target

6CF07AB2FF64200E8CD38602D14BC566.exe
Size

1.2MB
MD5

6cf07ab2ff64200e8cd38602d14bc566
SHA1

74edddc5fa816ecd47bb0a90b4ed605e1b8e8e6b
SHA256

7a5ea108c883639b28770a677217474e15e8e26a141b13cefd59100f72c3a598
SHA512

a47d91fb8c9f3edeb18897989f93ff8e5a2f90a4fa19f512983512238597988e5b490ebd1595dcd0aaf294c222a51d3c10da5ea013bccb0948e538ee00b8bbe1

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

4.tcp.ngrok.io:14914

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

Tempwinlogon.exe

pid process

3000 Tempwinlogon.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

6CF07AB2FF64200E8CD38602D14BC566.exe

pid process

996 6CF07AB2FF64200E8CD38602D14BC566.exe
996 6CF07AB2FF64200E8CD38602D14BC566.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3000	Tempwinlogon.exe

pid	process
996	6CF07AB2FF64200E8CD38602D14BC566.exe
996	6CF07AB2FF64200E8CD38602D14BC566.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Tempwinlogon.exe

description	pid	process
Token: SeDebugPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe
Token: 33	3000	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	3000	Tempwinlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6CF07AB2FF64200E8CD38602D14BC566.exe

pid process

996 6CF07AB2FF64200E8CD38602D14BC566.exe

pid	process
996	6CF07AB2FF64200E8CD38602D14BC566.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6CF07AB2FF64200E8CD38602D14BC566.execscript.exeTempwinlogon.exe

description	pid	process	target process
PID 996 wrote to memory of 2544	996	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 996 wrote to memory of 2544	996	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 996 wrote to memory of 2544	996	6CF07AB2FF64200E8CD38602D14BC566.exe	cscript.exe
PID 2544 wrote to memory of 3000	2544	cscript.exe	Tempwinlogon.exe
PID 2544 wrote to memory of 3000	2544	cscript.exe	Tempwinlogon.exe
PID 3000 wrote to memory of 508	3000	Tempwinlogon.exe	netsh.exe
PID 3000 wrote to memory of 508	3000	Tempwinlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6CF07AB2FF64200E8CD38602D14BC566.exe
"C:\Users\Admin\AppData\Local\Temp\6CF07AB2FF64200E8CD38602D14BC566.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cscript.exe
"cscript" C:\Users\Admin\AppData\Local\Temp\7B11.tmp\aaa11.vbs
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Tempwinlogon.exe" "Tempwinlogon.exe" ENABLE
4⤵
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B11.tmp\aaa11.vbs
MD5
89a247e6bf33711ef8ac5c694b3c7f77

SHA1
659da18a6a291f0a3f3b9f0d8321cc9f13c9862a

SHA256
3b0a43587507dce1d5a779521077fd0827f81a0d3b313f67f64c79f1b9687b5d

SHA512
699f4f3b8db597c92c9ee69ca7bd23e02f0470a76e9e78f27b65a8f5f2bedbd02b9b923afa557fd88dd0f196fb9b3e8bb86a4f6aa64ac1d51b60d98632840371

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
memory/508-120-0x0000000000000000-mapping.dmp

Download
memory/2544-114-0x0000000000000000-mapping.dmp

Download
memory/3000-116-0x0000000000000000-mapping.dmp

Download
memory/3000-119-0x0000000002EC0000-0x0000000002EC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing