njrat | dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10-en
submitted
16-09-2021 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
Size

91KB
MD5

6b5bc3eba86c9efbdf993773af3f593e
SHA1

0fd0f10d34c28a928e69343caeeed7803646be8f
SHA256

dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA512

cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

HacKed

anunankis1.duckdns.org,anunankis3.duckdns.org,karmina112.sytes.net,karmina114.sytes.net,burdun.dynu.net,burdun114.dynu.net:1177

Mutex

8746d62c81bb0c573a0a1086f9955c7b

Attributes

reg_key
8746d62c81bb0c573a0a1086f9955c7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

3724 svchost.exe
3680 svchost.exe
3620 svchost.exe
3244 svchost.exe
3912 svchost.exe
3924 svchost.exe

pid	process
3724	svchost.exe
3680	svchost.exe
3620	svchost.exe
3244	svchost.exe
3912	svchost.exe
3924	svchost.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8746d62c81bb0c573a0a1086f9955c7b.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8746d62c81bb0c573a0a1086f9955c7b.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3048 set thread context of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3724 set thread context of 3680	3724	svchost.exe	svchost.exe
PID 3620 set thread context of 3244	3620	svchost.exe	svchost.exe
PID 3912 set thread context of 3924	3912	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3876 schtasks.exe

pid	process
3876	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe
Token: 33	3680	svchost.exe
Token: SeIncBasePriorityPrivilege	3680	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exeDBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3048 wrote to memory of 3528	3048	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
PID 3528 wrote to memory of 3724	3528	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	svchost.exe
PID 3528 wrote to memory of 3724	3528	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	svchost.exe
PID 3528 wrote to memory of 3724	3528	DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3724 wrote to memory of 3680	3724	svchost.exe	svchost.exe
PID 3680 wrote to memory of 3876	3680	svchost.exe	schtasks.exe
PID 3680 wrote to memory of 3876	3680	svchost.exe	schtasks.exe
PID 3680 wrote to memory of 3876	3680	svchost.exe	schtasks.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3620 wrote to memory of 3244	3620	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe
PID 3912 wrote to memory of 3924	3912	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
"C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
"C:\Users\Admin\AppData\Local\Temp\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe
5⤵
- Creates scheduled task(s)
PID:3876

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:3244

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
6b5bc3eba86c9efbdf993773af3f593e

SHA1
0fd0f10d34c28a928e69343caeeed7803646be8f

SHA256
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

SHA512
cd5c91dc4de88b46384a6c615f6a0da3250a00a34c11221c8dcf9d857fde0ce8cff0a55f8442e2b7a1758d2f7b77b69d7265cc96427f972295124c06095cc3d1

Download Submit
memory/3048-115-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3244-135-0x0000000003201000-0x0000000003202000-memory.dmp

Filesize
4KB

Download
memory/3244-132-0x0000000000407AEE-mapping.dmp

Download
memory/3528-116-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3528-117-0x0000000000407AEE-mapping.dmp

Download
memory/3528-119-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/3620-134-0x0000000002F01000-0x0000000002F02000-memory.dmp

Filesize
4KB

Download
memory/3680-124-0x0000000000407AEE-mapping.dmp

Download
memory/3680-128-0x0000000003901000-0x0000000003902000-memory.dmp

Filesize
4KB

Download
memory/3724-120-0x0000000000000000-mapping.dmp

Download
memory/3724-127-0x0000000003401000-0x0000000003402000-memory.dmp

Filesize
4KB

Download
memory/3876-129-0x0000000000000000-mapping.dmp

Download
memory/3912-140-0x0000000002D01000-0x0000000002D02000-memory.dmp

Filesize
4KB

Download
memory/3924-138-0x0000000000407AEE-mapping.dmp

Download
memory/3924-141-0x0000000003501000-0x0000000003502000-memory.dmp

Filesize
4KB

Download