njrat | dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
16-09-2021 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
Size

91KB
MD5

6b5bc3eba86c9efbdf993773af3f593e
SHA1

0fd0f10d34c28a928e69343caeeed7803646be8f
SHA256

dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512

cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Score

10^/10

njrat hacked persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

HacKed

anunankis1.duckdns.org,anunankis3.duckdns.org,karmina112.sytes.net,karmina114.sytes.net,burdun.dynu.net,burdun114.dynu.net:1177

Mutex

8746d62c81bb0c573a0a1086f9955c7b

Attributes

reg_key
8746d62c81bb0c573a0a1086f9955c7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

1092 svchost.exe
1288 svchost.exe
2844 svchost.exe
1208 svchost.exe
1284 svchost.exe
1656 svchost.exe

pid	process
1092	svchost.exe
1288	svchost.exe
2844	svchost.exe
1208	svchost.exe
1284	svchost.exe
1656	svchost.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8746d62c81bb0c573a0a1086f9955c7b.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8746d62c81bb0c573a0a1086f9955c7b.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 740 set thread context of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 1092 set thread context of 1288	1092	svchost.exe	svchost.exe
PID 2844 set thread context of 1208	2844	svchost.exe	svchost.exe
PID 1284 set thread context of 1656	1284	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1620 schtasks.exe

pid	process
1620	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe
Token: 33	1288	svchost.exe
Token: SeIncBasePriorityPrivilege	1288	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exeDBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 740 wrote to memory of 904	740	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 904 wrote to memory of 1092	904	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	svchost.exe
PID 904 wrote to memory of 1092	904	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	svchost.exe
PID 904 wrote to memory of 1092	904	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1092 wrote to memory of 1288	1092	svchost.exe	svchost.exe
PID 1288 wrote to memory of 1620	1288	svchost.exe	schtasks.exe
PID 1288 wrote to memory of 1620	1288	svchost.exe	schtasks.exe
PID 1288 wrote to memory of 1620	1288	svchost.exe	schtasks.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 2844 wrote to memory of 1208	2844	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe
PID 1284 wrote to memory of 1656	1284	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
"C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
"C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe
5⤵
- Creates scheduled task(s)
PID:1620

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
memory/740-114-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/904-116-0x0000000000407AEE-mapping.dmp

Download
memory/904-118-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/904-115-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1092-126-0x0000000002B01000-0x0000000002B02000-memory.dmp

Filesize
4KB

Download
memory/1092-119-0x0000000000000000-mapping.dmp

Download
memory/1208-131-0x0000000000407AEE-mapping.dmp

Download
memory/1208-134-0x0000000003701000-0x0000000003702000-memory.dmp

Filesize
4KB

Download
memory/1284-139-0x0000000003701000-0x0000000003702000-memory.dmp

Filesize
4KB

Download
memory/1288-127-0x0000000002D01000-0x0000000002D02000-memory.dmp

Filesize
4KB

Download
memory/1288-123-0x0000000000407AEE-mapping.dmp

Download
memory/1620-128-0x0000000000000000-mapping.dmp

Download
memory/1656-137-0x0000000000407AEE-mapping.dmp

Download
memory/1656-140-0x0000000003101000-0x0000000003102000-memory.dmp

Filesize
4KB

Download
memory/2844-133-0x0000000002F01000-0x0000000002F02000-memory.dmp

Filesize
4KB

Download