njrat | 6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

General

Target

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
Size

82KB
MD5

42f06a2dd04a0b84c019557cc07f0cb6
SHA1

9f8b00c0cefd6e80ed813ac25b55b57e1289c724
SHA256

6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
SHA512

15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Score

10^/10

njrat 000000 persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

000000

C2

karmina112.sytes.net,karmina115.sytes.net,burdun.dynu.net,burdun115.dynu.net,anunankis3.duckdns.org:1177

Mutex

670b14728ad9902aecba32e22fa4f6bd

Attributes

reg_key
670b14728ad9902aecba32e22fa4f6bd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1896 svchost.exe
1956 svchost.exe

pid	process
1896	svchost.exe
1956	svchost.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\670b14728ad9902aecba32e22fa4f6bd.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	svchost.exe

Loads dropped DLL 3 IoCs

Processes:

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exesvchost.exe

pid process

1644 6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
1896 svchost.exe
1956 svchost.exe

pid	process
1644	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
1896	svchost.exe
1956	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\670b14728ad9902aecba32e22fa4f6bd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

description	pid	process	target process
PID 1092 set thread context of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1896 set thread context of 1956	1896	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe
Token: 33	1956	svchost.exe
Token: SeIncBasePriorityPrivilege	1956	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exesvchost.exe

description	pid	process	target process
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1092 wrote to memory of 1644	1092	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
PID 1644 wrote to memory of 1896	1644	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 1644 wrote to memory of 1896	1644	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 1644 wrote to memory of 1896	1644	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 1644 wrote to memory of 1896	1644	6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe
"C:\Users\Admin\AppData\Local\Temp\6C8F0805290D03AB8FE1D2E21EAF62B80AB8677C43027.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
42f06a2dd04a0b84c019557cc07f0cb6

SHA1
9f8b00c0cefd6e80ed813ac25b55b57e1289c724

SHA256
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998

SHA512
15228012f88fb714d868aec24574c532bb49a7f56ebdd8a97922d0a569a37c6f112cdb1224db37df50196c9cc08c07e90a1f72c26978adaaeec12212ef9a9556

Download Submit
memory/1092-54-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1092-53-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x0000000000407ACE-mapping.dmp

Download
memory/1644-58-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1644-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1896-60-0x0000000000000000-mapping.dmp

Download
memory/1896-69-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1956-66-0x0000000000407ACE-mapping.dmp

Download
memory/1956-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads