njrat | a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

General

Target

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
Size

83KB
MD5

7c6290951c89aac232a806d70f72e573
SHA1

0cd2416d39e7e11a7066d12adff69ccd9411b98d
SHA256

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8
SHA512

9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Score

10^/10

njrat .......celcom evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

.......CELCOM

C2

anunankis1.duckdns.org:1177

Mutex

04404d18b002688e39bb45a634c1a35a

Attributes

reg_key
04404d18b002688e39bb45a634c1a35a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

3656 svchost.exe
4088 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3656	svchost.exe
4088	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04404d18b002688e39bb45a634c1a35a.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exe

description	pid	process	target process
PID 4020 set thread context of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 3656 set thread context of 4088	3656	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exea1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 4020 wrote to memory of 3644	4020	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
PID 3644 wrote to memory of 3656	3644	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 3644 wrote to memory of 3656	3644	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 3644 wrote to memory of 3656	3644	a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 3656 wrote to memory of 4088	3656	svchost.exe	svchost.exe
PID 4088 wrote to memory of 1356	4088	svchost.exe	netsh.exe
PID 4088 wrote to memory of 1356	4088	svchost.exe	netsh.exe
PID 4088 wrote to memory of 1356	4088	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe
"C:\Users\Admin\AppData\Local\Temp\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
5⤵
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
7c6290951c89aac232a806d70f72e573

SHA1
0cd2416d39e7e11a7066d12adff69ccd9411b98d

SHA256
a1bd9e989614f6d8024d4fb930246d6b6bb5611b148476414efcf01d30f79fc8

SHA512
9ab95ef8909a0f4324b8756e86492a6fb9318d724b610c477405113b435315d11c8ee18c7a82481a912fa29b73f339f8da149a8ca3419450d0b8b837bcad90fe

Download Submit
memory/1356-128-0x0000000000000000-mapping.dmp

Download
memory/3644-119-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3644-116-0x00000000004074AE-mapping.dmp

Download
memory/3656-120-0x0000000000000000-mapping.dmp

Download
memory/3656-126-0x0000000002E01000-0x0000000002E02000-memory.dmp

Filesize
4KB

Download
memory/4020-118-0x0000000000FF0000-0x000000000113A000-memory.dmp

Filesize
1.3MB

Download
memory/4088-124-0x00000000004074AE-mapping.dmp

Download
memory/4088-123-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4088-127-0x0000000003201000-0x0000000003202000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads