njrat | d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1

Analysis

max time kernel
150s
max time network
146s
platform
windows10_x64
resource
win10-en
submitted
12-09-2021 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d38a592a34803dd43fec1722a4467822.exe
Size

438KB
MD5

d38a592a34803dd43fec1722a4467822
SHA1

2fa62ad88fe9ed8ff915087692020ea0b84f56ae
SHA256

d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1
SHA512

d85d6783fbc10399f808b1667848c4d46571da9b271dfa7deebff08703d3a90d2eba2e932a692a672aa4d9809f39bb73ab8b44dc7e12bb6afe4065da04a120a3

Score

10^/10

njrat warzonerat x1x1x1x1x1 infostealer persistence rat suricata trojan

Malware Config

Extracted

Family

warzonerat

pubg.ddns.net:5201

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

x1x1x1x1x1

pubg.ddns.net:147

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\windll.exe	warzonerat
C:\Windows\windll.exe	warzonerat
C:\ProgramData\imagesghr.exe	warzonerat
C:\ProgramData\imagesghr.exe	warzonerat

Executes dropped EXE 5 IoCs

Processes:

win.exewindll.exeTVTools_AlterID.exeimagesghr.exeFixWindowsUpdate.exe

pid process

4020 win.exe
3264 windll.exe
3148 TVTools_AlterID.exe
652 imagesghr.exe
1328 FixWindowsUpdate.exe

pid	process
4020	win.exe
3264	windll.exe
3148	TVTools_AlterID.exe
652	imagesghr.exe
1328	FixWindowsUpdate.exe

Drops startup file 4 IoCs

Processes:

windll.exeFixWindowsUpdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	windll.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	windll.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe	FixWindowsUpdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe	FixWindowsUpdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windll.exeFixWindowsUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Imagesaf = "C:\\ProgramData\\imagesghr.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\FixWindowsUpdate.exe\" .."	FixWindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\FixWindowsUpdate.exe\" .."	FixWindowsUpdate.exe

Drops file in Windows directory 7 IoCs

Processes:

d38a592a34803dd43fec1722a4467822.exe

description	ioc	process
File created	C:\Windows\win.exe	d38a592a34803dd43fec1722a4467822.exe
File opened for modification	C:\Windows\win.exe	d38a592a34803dd43fec1722a4467822.exe
File created	C:\Windows\windll.exe	d38a592a34803dd43fec1722a4467822.exe
File opened for modification	C:\Windows\windll.exe	d38a592a34803dd43fec1722a4467822.exe
File created	C:\Windows\TVTools_AlterID.exe	d38a592a34803dd43fec1722a4467822.exe
File opened for modification	C:\Windows\TVTools_AlterID.exe	d38a592a34803dd43fec1722a4467822.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259263343	d38a592a34803dd43fec1722a4467822.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

TVTools_AlterID.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	TVTools_AlterID.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	TVTools_AlterID.exe

NTFS ADS 1 IoCs

Processes:

windll.exe

description ioc process

File created C:\ProgramData:ApplicationData windll.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	windll.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

TVTools_AlterID.exepowershell.exepowershell.exe

pid	process
3148	TVTools_AlterID.exe
3148	TVTools_AlterID.exe
1604	powershell.exe
1604	powershell.exe
948	powershell.exe
1604	powershell.exe
948	powershell.exe
948	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

win.exeFixWindowsUpdate.exe

pid process

4020 win.exe
1328 FixWindowsUpdate.exe

pid	process
4020	win.exe
1328	FixWindowsUpdate.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

powershell.exepowershell.exeFixWindowsUpdate.exe

description	pid	process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe
Token: 33	1328	FixWindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	1328	FixWindowsUpdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TVTools_AlterID.exe

pid process

3148 TVTools_AlterID.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

d38a592a34803dd43fec1722a4467822.exewindll.exeimagesghr.exewin.exe

description	pid	process	target process
PID 3652 wrote to memory of 4020	3652	d38a592a34803dd43fec1722a4467822.exe	win.exe
PID 3652 wrote to memory of 4020	3652	d38a592a34803dd43fec1722a4467822.exe	win.exe
PID 3652 wrote to memory of 3264	3652	d38a592a34803dd43fec1722a4467822.exe	windll.exe
PID 3652 wrote to memory of 3264	3652	d38a592a34803dd43fec1722a4467822.exe	windll.exe
PID 3652 wrote to memory of 3264	3652	d38a592a34803dd43fec1722a4467822.exe	windll.exe
PID 3652 wrote to memory of 3148	3652	d38a592a34803dd43fec1722a4467822.exe	TVTools_AlterID.exe
PID 3652 wrote to memory of 3148	3652	d38a592a34803dd43fec1722a4467822.exe	TVTools_AlterID.exe
PID 3652 wrote to memory of 3148	3652	d38a592a34803dd43fec1722a4467822.exe	TVTools_AlterID.exe
PID 3264 wrote to memory of 1604	3264	windll.exe	powershell.exe
PID 3264 wrote to memory of 1604	3264	windll.exe	powershell.exe
PID 3264 wrote to memory of 1604	3264	windll.exe	powershell.exe
PID 3264 wrote to memory of 652	3264	windll.exe	imagesghr.exe
PID 3264 wrote to memory of 652	3264	windll.exe	imagesghr.exe
PID 3264 wrote to memory of 652	3264	windll.exe	imagesghr.exe
PID 652 wrote to memory of 948	652	imagesghr.exe	powershell.exe
PID 652 wrote to memory of 948	652	imagesghr.exe	powershell.exe
PID 652 wrote to memory of 948	652	imagesghr.exe	powershell.exe
PID 4020 wrote to memory of 1328	4020	win.exe	FixWindowsUpdate.exe
PID 4020 wrote to memory of 1328	4020	win.exe	FixWindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\d38a592a34803dd43fec1722a4467822.exe
"C:\Users\Admin\AppData\Local\Temp\d38a592a34803dd43fec1722a4467822.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\win.exe
"C:\Windows\win.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\windll.exe
"C:\Windows\windll.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\ProgramData\imagesghr.exe
"C:\ProgramData\imagesghr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\TVTools_AlterID.exe
"C:\Windows\TVTools_AlterID.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\imagesghr.exe
MD5
fb71890d51bc97d78aa496135d570c0d

SHA1
3990c26cd19057f5adf7096a8eb140bb76264945

SHA256
320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058

SHA512
e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196

Download Submit
C:\ProgramData\imagesghr.exe
MD5
fb71890d51bc97d78aa496135d570c0d

SHA1
3990c26cd19057f5adf7096a8eb140bb76264945

SHA256
320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058

SHA512
e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dccd076e0982c474fd6f7732fadad6b2

SHA1
e52be27a2dbcaa0f8236e5492f97d01416f890d5

SHA256
e44accd474e56924a6ee28765ec93d38e78c367b063c018a03a0a780b9c32054

SHA512
a99a435149ec78d872b390d2da57cc1e050b4d7f57c46d9c4a40174a873cf88f5565fd3bde33881fa40df4d401eb206b17fbd81089e87fc388654a422120828b

Download Submit
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe
MD5
bc4fd52445b7f27f293790e7f04aa289

SHA1
12d6a1e9306634298c8e38339946015dfb3ad36d

SHA256
94ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51

SHA512
9caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5

Download Submit
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe
MD5
bc4fd52445b7f27f293790e7f04aa289

SHA1
12d6a1e9306634298c8e38339946015dfb3ad36d

SHA256
94ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51

SHA512
9caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5

Download Submit
C:\Windows\TVTools_AlterID.exe
MD5
290d2267039a01322b590592cbf0c13c

SHA1
188996bfb808374f09a6f5a087d47f4fc450d668

SHA256
16fdf499c06543dedab6f17279fdf1fabb29779f54cb1f4cc2e61fdb6961ed33

SHA512
cc17869703a6c875b507bf6bb4d7a11d4ee1ebdff8a0c2e7aa0483a89f03252904c596d92be75ccacc40ac025d9d8917d3ec9a7d4546e54bfca3c3816a5fafd4

Download Submit
C:\Windows\TVTools_AlterID.exe
MD5
290d2267039a01322b590592cbf0c13c

SHA1
188996bfb808374f09a6f5a087d47f4fc450d668

SHA256
16fdf499c06543dedab6f17279fdf1fabb29779f54cb1f4cc2e61fdb6961ed33

SHA512
cc17869703a6c875b507bf6bb4d7a11d4ee1ebdff8a0c2e7aa0483a89f03252904c596d92be75ccacc40ac025d9d8917d3ec9a7d4546e54bfca3c3816a5fafd4

Download Submit
C:\Windows\win.exe
MD5
bc4fd52445b7f27f293790e7f04aa289

SHA1
12d6a1e9306634298c8e38339946015dfb3ad36d

SHA256
94ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51

SHA512
9caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5

Download Submit
C:\Windows\win.exe
MD5
bc4fd52445b7f27f293790e7f04aa289

SHA1
12d6a1e9306634298c8e38339946015dfb3ad36d

SHA256
94ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51

SHA512
9caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5

Download Submit
C:\Windows\windll.exe
MD5
fb71890d51bc97d78aa496135d570c0d

SHA1
3990c26cd19057f5adf7096a8eb140bb76264945

SHA256
320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058

SHA512
e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196

Download Submit
C:\Windows\windll.exe
MD5
fb71890d51bc97d78aa496135d570c0d

SHA1
3990c26cd19057f5adf7096a8eb140bb76264945

SHA256
320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058

SHA512
e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196

Download Submit
memory/652-129-0x0000000000000000-mapping.dmp

Download
memory/948-189-0x000000007ED60000-0x000000007ED61000-memory.dmp

Filesize
4KB

Download
memory/948-145-0x0000000000000000-mapping.dmp

Download
memory/948-598-0x00000000092D0000-0x00000000092D1000-memory.dmp

Filesize
4KB

Download
memory/948-218-0x0000000004573000-0x0000000004574000-memory.dmp

Filesize
4KB

Download
memory/948-155-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/948-157-0x0000000004572000-0x0000000004573000-memory.dmp

Filesize
4KB

Download
memory/1328-281-0x0000000001070000-0x0000000001072000-memory.dmp

Filesize
8KB

Download
memory/1328-204-0x0000000000000000-mapping.dmp

Download
memory/1604-170-0x0000000009670000-0x00000000096A3000-memory.dmp

Filesize
204KB

Download
memory/1604-195-0x00000000097A0000-0x00000000097A1000-memory.dmp

Filesize
4KB

Download
memory/1604-143-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/1604-141-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/1604-146-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/1604-144-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/1604-150-0x00000000087A0000-0x00000000087A1000-memory.dmp

Filesize
4KB

Download
memory/1604-140-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/1604-138-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/1604-610-0x0000000009870000-0x0000000009871000-memory.dmp

Filesize
4KB

Download
memory/1604-182-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/1604-186-0x000000007EEC0000-0x000000007EEC1000-memory.dmp

Filesize
4KB

Download
memory/1604-128-0x0000000000000000-mapping.dmp

Download
memory/1604-142-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/1604-203-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/1604-139-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

Filesize
4KB

Download
memory/1604-135-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/1604-136-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/1604-215-0x0000000006FE3000-0x0000000006FE4000-memory.dmp

Filesize
4KB

Download
memory/3148-125-0x0000000000000000-mapping.dmp

Download
memory/3264-120-0x0000000000000000-mapping.dmp

Download
memory/4020-137-0x000000001BC60000-0x000000001BC62000-memory.dmp

Filesize
8KB

Download
memory/4020-123-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4020-134-0x0000000001560000-0x000000000156B000-memory.dmp

Filesize
44KB

Download
memory/4020-117-0x0000000000000000-mapping.dmp

Download