njrat | ca4010b0b7e840aed10f2439fc37429aa7c752cf8c312d5c3de01b3342dd69fb

General

Target

x8209.xlsb
Size

116KB
MD5

c5a179c6fe1f057c380e64ad5a5151f1
SHA1

4b4c23004dab867b6759a921a24cfa181167ea62
SHA256

ca4010b0b7e840aed10f2439fc37429aa7c752cf8c312d5c3de01b3342dd69fb
SHA512

1ece527256a6460c99caf85b4c7ba399bf28796c5727a80b3f45176f47aef449145a92ccb7f55648dc41cb87391e322e8e6ac010b99a35ba9cf0aec0bb24e739

Score

10^/10

njrat trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://phod.ru/image1.png

Extracted

Family

njrat

C2

ilfuoco.crabdance.com:1606

Mutex

2cdbd061ab

Attributes

reg_key
2cdbd061ab
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

inmonter.exe

pid process

868 inmonter.exe

pid	process
868	inmonter.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1896 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

inmonter.exe

description	pid	process
Token: SeDebugPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe
Token: 33	868	inmonter.exe
Token: SeIncBasePriorityPrivilege	868	inmonter.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1896 EXCEL.EXE
1896 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

EXCEL.EXE

description pid process target process

PID 1896 wrote to memory of 868 1896 EXCEL.EXE inmonter.exe
PID 1896 wrote to memory of 868 1896 EXCEL.EXE inmonter.exe

description	pid	process	target process
PID 1896 wrote to memory of 868	1896	EXCEL.EXE	inmonter.exe
PID 1896 wrote to memory of 868	1896	EXCEL.EXE	inmonter.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\x8209.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\KIS14.7\Security\inmonter.exe
"C:\KIS14.7\Security\inmonter.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KIS14.7\Security\inmonter.exe
MD5
4d7c442ee41682bc23f89190f6d30ec9

SHA1
544d50cf853121d3b169084e7b7fdcbe0b0ec9a3

SHA256
836e0921a51d3e9bb91eb3a44f6cfe798dab4939b2ec5e6a39ff758db54e6b3d

SHA512
19135b7e3f9fc2ca6b5c5853dbe94c4bb287067b3efba95e84402c086c9c3eb8253545127883b531374c91de5aa9c401e8fef64a0884bcb270e4e7d1d8fc49d3

Download Submit
C:\KIS14.7\Security\inmonter.exe
MD5
4d7c442ee41682bc23f89190f6d30ec9

SHA1
544d50cf853121d3b169084e7b7fdcbe0b0ec9a3

SHA256
836e0921a51d3e9bb91eb3a44f6cfe798dab4939b2ec5e6a39ff758db54e6b3d

SHA512
19135b7e3f9fc2ca6b5c5853dbe94c4bb287067b3efba95e84402c086c9c3eb8253545127883b531374c91de5aa9c401e8fef64a0884bcb270e4e7d1d8fc49d3

Download Submit
memory/868-287-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/868-273-0x0000000000000000-mapping.dmp

Download
memory/868-288-0x000000001AEA0000-0x000000001AEA2000-memory.dmp

Filesize
8KB

Download
memory/868-286-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/868-278-0x0000000000640000-0x0000000000675000-memory.dmp

Filesize
212KB

Download
memory/868-276-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1896-118-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-119-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-251-0x00007FFE9D6E0000-0x00007FFE9E5AD000-memory.dmp

Filesize
14.8MB

Download
memory/1896-120-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-126-0x00007FFEA1510000-0x00007FFEA3405000-memory.dmp

Filesize
31.0MB

Download
memory/1896-125-0x00007FFEA3410000-0x00007FFEA44FE000-memory.dmp

Filesize
16.9MB

Download
memory/1896-124-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-117-0x00007FF7AC8F0000-0x00007FF7AFEA6000-memory.dmp

Filesize
53.7MB

Download
memory/1896-121-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-308-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-309-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-310-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download
memory/1896-311-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads