njrat | 977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15

General

Target

977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe
Size

1.4MB
MD5

7692667d5a258ba4cdb84473fb50efdc
SHA1

3102de64a4476befc1684c4595f24ec707472662
SHA256

977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15
SHA512

1b365067b03c94bacf8f22b5cc32e7a6b85b6359a215f197e6c4747e956ce409de94a5bc8c543af76e98983516a07d111c35ac66f99f85b3e0b7d6858b2052fb

Score

10^/10

njrat test1 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Test1

C2

127.0.0.1:1177

Mutex

6bc405af81ea48ffdc111c35dcd0d4b4

Attributes

reg_key
6bc405af81ea48ffdc111c35dcd0d4b4
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

TempServer.exenimer.exe

pid process

3748 TempServer.exe
3900 nimer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3748	TempServer.exe
3900	nimer.exe

Drops startup file 2 IoCs

Processes:

nimer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bc405af81ea48ffdc111c35dcd0d4b4.exe	nimer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bc405af81ea48ffdc111c35dcd0d4b4.exe	nimer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nimer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\6bc405af81ea48ffdc111c35dcd0d4b4 = "\"C:\\ProgramData\\nimer.exe\" .."	nimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6bc405af81ea48ffdc111c35dcd0d4b4 = "\"C:\\ProgramData\\nimer.exe\" .."	nimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

nimer.exe

pid	process
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe
3900	nimer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nimer.exe

description pid process

Token: SeDebugPrivilege 3900 nimer.exe

description	pid	process
Token: SeDebugPrivilege	3900	nimer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exeTempServer.exenimer.exe

description	pid	process	target process
PID 3636 wrote to memory of 3748	3636	977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe	TempServer.exe
PID 3636 wrote to memory of 3748	3636	977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe	TempServer.exe
PID 3636 wrote to memory of 3748	3636	977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe	TempServer.exe
PID 3748 wrote to memory of 3900	3748	TempServer.exe	nimer.exe
PID 3748 wrote to memory of 3900	3748	TempServer.exe	nimer.exe
PID 3748 wrote to memory of 3900	3748	TempServer.exe	nimer.exe
PID 3900 wrote to memory of 3632	3900	nimer.exe	netsh.exe
PID 3900 wrote to memory of 3632	3900	nimer.exe	netsh.exe
PID 3900 wrote to memory of 3632	3900	nimer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe
"C:\Users\Admin\AppData\Local\Temp\977565988377bf3f44444095ecb38c87432ce4bae2059da4aa75124ef1c3de15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\TempServer.exe
C:\Users\Admin\AppData\Local\TempServer.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748

C:\ProgramData\nimer.exe
"C:\ProgramData\nimer.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\nimer.exe" "nimer.exe" ENABLE
4⤵
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nimer.exe
MD5
7cbdea2979d0fe2d19b60004bff7007a

SHA1
a1448e8d430d1f4a85e537cabb12adcbaf285020

SHA256
24425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0

SHA512
e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5

Download Submit
C:\ProgramData\nimer.exe
MD5
7cbdea2979d0fe2d19b60004bff7007a

SHA1
a1448e8d430d1f4a85e537cabb12adcbaf285020

SHA256
24425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0

SHA512
e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5

Download Submit
C:\Users\Admin\AppData\Local\TempServer.exe
MD5
7cbdea2979d0fe2d19b60004bff7007a

SHA1
a1448e8d430d1f4a85e537cabb12adcbaf285020

SHA256
24425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0

SHA512
e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5

Download Submit
C:\Users\Admin\AppData\Local\TempServer.exe
MD5
7cbdea2979d0fe2d19b60004bff7007a

SHA1
a1448e8d430d1f4a85e537cabb12adcbaf285020

SHA256
24425c3e4f7eb4fbfdad529e3e07939e3175a2b7f12c8ea10cb4691c687f03d0

SHA512
e2b4b3c22db5f362603bd0e59996e05f33d4f063c48b4cfb06ec05cfcf4034df3e0b4536075b8eb03adce454215850d89cad0b3a9d0e9c0472d9180e90f6e3c5

Download Submit
memory/3632-122-0x0000000000000000-mapping.dmp

Download
memory/3748-115-0x0000000000000000-mapping.dmp

Download
memory/3748-118-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3900-119-0x0000000000000000-mapping.dmp

Download
memory/3900-123-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3900-124-0x0000000002E23000-0x0000000002E25000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads