njrat | a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

General

Target

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
Size

83KB
MD5

7c6290951c89aac232a806d70f72e573
SHA1

0cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA512

9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Score

10^/10

njrat .......celcom evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

.......CELCOM

C2

anunankis1.duckdns.org:1177

Mutex

04404d18b002688e39bb45a634c1a35a

Attributes

reg_key
04404d18b002688e39bb45a634c1a35a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

436 svchost.exe
1916 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
436	svchost.exe
1916	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exe

pid process

1172 a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
436 svchost.exe

pid	process
1172	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
436	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exe

description	pid	process	target process
PID 1080 set thread context of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 436 set thread context of 1916	436	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exea1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1080 wrote to memory of 1172	1080	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 1172 wrote to memory of 436	1172	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 1172 wrote to memory of 436	1172	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 1172 wrote to memory of 436	1172	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 1172 wrote to memory of 436	1172	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 436 wrote to memory of 1916	436	svchost.exe	svchost.exe
PID 1916 wrote to memory of 1608	1916	svchost.exe	netsh.exe
PID 1916 wrote to memory of 1608	1916	svchost.exe	netsh.exe
PID 1916 wrote to memory of 1608	1916	svchost.exe	netsh.exe
PID 1916 wrote to memory of 1608	1916	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
5⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
memory/436-73-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/436-64-0x0000000000000000-mapping.dmp

Download
memory/1080-53-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/1080-61-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1172-62-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1172-59-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/1172-56-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/1172-55-0x00000000004074AE-mapping.dmp

Download
memory/1608-75-0x0000000000000000-mapping.dmp

Download
memory/1916-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1916-70-0x00000000004074AE-mapping.dmp

Download
memory/1916-74-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads