njrat | cedfea0974aceb19d6c47fcd22c2082b57813bc8615cb5f5b505f19703ea6173

Analysis

max time kernel
149s
max time network
144s
platform
windows10_x64
resource
win10v20210408
submitted
25-09-2021 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Security Health Service.bin.exe
Size

595KB
MD5

ba38fee6928359b14d6ab46fd1c6a2e2
SHA1

d0ffbbdb618a86af97c9a37f8d506cff3b91e377
SHA256

1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310
SHA512

c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

Score

10^/10

njrat hacked agilenet persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

blackhacked.ddns.net:5555

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

Windows Security Health Service.exeInstallUtil.exeWindows Security Health Service.exeWindows Security Health Service.exe

pid process

2360 Windows Security Health Service.exe
2784 InstallUtil.exe
3572 Windows Security Health Service.exe
4036 Windows Security Health Service.exe

pid	process
2360	Windows Security Health Service.exe
2784	InstallUtil.exe
3572	Windows Security Health Service.exe
4036	Windows Security Health Service.exe

Drops startup file 3 IoCs

Processes:

Windows Security Health Service.bin.exeInstallUtil.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe	Windows Security Health Service.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe	Windows Security Health Service.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/532-121-0x0000000006600000-0x0000000006621000-memory.dmp	agile_net
behavioral2/memory/532-124-0x00000000051F0000-0x00000000056EE000-memory.dmp	agile_net
behavioral2/memory/2360-135-0x0000000004F00000-0x00000000053FE000-memory.dmp	agile_net
behavioral2/memory/2360-140-0x0000000004F00000-0x00000000053FE000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Health Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Security Health Service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Windows Security Health Service.exe

description pid process target process

PID 2360 set thread context of 2784 2360 Windows Security Health Service.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2360 set thread context of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Windows Security Health Service.bin.exeWindows Security Health Service.exeWindows Security Health Service.exeWindows Security Health Service.exe

pid	process
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
532	Windows Security Health Service.bin.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
3572	Windows Security Health Service.exe
4036	Windows Security Health Service.exe
4036	Windows Security Health Service.exe
4036	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe
2360	Windows Security Health Service.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Windows Security Health Service.bin.exeWindows Security Health Service.exeWindows Security Health Service.exeWindows Security Health Service.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	532	Windows Security Health Service.bin.exe
Token: SeDebugPrivilege	2360	Windows Security Health Service.exe
Token: SeDebugPrivilege	3572	Windows Security Health Service.exe
Token: SeDebugPrivilege	4036	Windows Security Health Service.exe
Token: SeDebugPrivilege	2784	InstallUtil.exe
Token: 33	2784	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2784	InstallUtil.exe
Token: 33	2784	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2784	InstallUtil.exe
Token: 33	2784	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2784	InstallUtil.exe
Token: 33	2784	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2784	InstallUtil.exe
Token: 33	2784	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2784	InstallUtil.exe
Token: 33	2784	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2784	InstallUtil.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Windows Security Health Service.bin.execmd.exeWindows Security Health Service.exeWindows Security Health Service.exe

description	pid	process	target process
PID 532 wrote to memory of 3912	532	Windows Security Health Service.bin.exe	cmd.exe
PID 532 wrote to memory of 3912	532	Windows Security Health Service.bin.exe	cmd.exe
PID 532 wrote to memory of 3912	532	Windows Security Health Service.bin.exe	cmd.exe
PID 3912 wrote to memory of 2200	3912	cmd.exe	reg.exe
PID 3912 wrote to memory of 2200	3912	cmd.exe	reg.exe
PID 3912 wrote to memory of 2200	3912	cmd.exe	reg.exe
PID 532 wrote to memory of 2360	532	Windows Security Health Service.bin.exe	Windows Security Health Service.exe
PID 532 wrote to memory of 2360	532	Windows Security Health Service.bin.exe	Windows Security Health Service.exe
PID 532 wrote to memory of 2360	532	Windows Security Health Service.bin.exe	Windows Security Health Service.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 2784	2360	Windows Security Health Service.exe	InstallUtil.exe
PID 2360 wrote to memory of 3572	2360	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 2360 wrote to memory of 3572	2360	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 2360 wrote to memory of 3572	2360	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 3572 wrote to memory of 4036	3572	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 3572 wrote to memory of 4036	3572	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 3572 wrote to memory of 4036	3572	Windows Security Health Service.exe	Windows Security Health Service.exe

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.bin.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Security Health Service" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Security Health Service" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe"
3⤵
- Adds Run key to start application
PID:2200

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.txt
MD5
ba9dc593f627ae39034d87469e1291b4

SHA1
8b4c95964c069182e3f4e4c40a9cb6d2e5cfb3ae

SHA256
d69deb78836d8b4af484afc1ced14c3d25d89927e7e875e8685c29e4f71a4634

SHA512
780ea6975bc2e0a18e77a4142fba246372a7b5d21de542352b8c0ff0903fe8f7f4f40ab61f13c5f038fe83edffe0c8e989fbe1b4259e79f25a6d31a23b7717f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.txt
MD5
15a660facec7aedbbbb32a047e76fb63

SHA1
09bb180e6f20cd652ce2056ee6c7ec63bb49056d

SHA256
45def25c53a01869891129877ce1c49af0678d6ac3e341b35c16cb7318f87e1a

SHA512
827955cffbabfe93cf44d5846f8de2492ba6e52a9fd5d3b391a54cfb15cb535aed0f67c9cb750dc204d76550e9db866fc797c738f3cb259ac6610c53386c3cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.txt
MD5
d8bf0c00a1dd756ccb38a8d617835af4

SHA1
abe7976b573a7d3bf2ae3249411e0df7b826dd25

SHA256
4a954e9229fd8b52d3d72114cecb6866c0637aec9a187b87e0121a61a8867a74

SHA512
11317a33afeef9c1649eaf8db8f7d49cde3b960c39163e950c51ab8ba2435663f471b23e6873cd4602d278195286efe805c66c442f6f2602bd6557c98a132ce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
MD5
ba38fee6928359b14d6ab46fd1c6a2e2

SHA1
d0ffbbdb618a86af97c9a37f8d506cff3b91e377

SHA256
1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310

SHA512
c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health Service.exe
MD5
ba38fee6928359b14d6ab46fd1c6a2e2

SHA1
d0ffbbdb618a86af97c9a37f8d506cff3b91e377

SHA256
1cc94a68355afc41f13a6c6136b0d0d212f33a92e1f53a51075f05d49f541310

SHA512
c1b9650c75a777455e4b8e21e5b01fbf7457928ab4545f5fc74d589da3c27d4ebf7c334c2d9bb5334c401cbf1a8fb68569eded934613799ba018b2261caf3a74

Download Submit
memory/532-124-0x00000000051F0000-0x00000000056EE000-memory.dmp

Filesize
5.0MB

Download
memory/532-119-0x00000000051F0000-0x00000000056EE000-memory.dmp

Filesize
5.0MB

Download
memory/532-116-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/532-117-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/532-118-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/532-121-0x0000000006600000-0x0000000006621000-memory.dmp

Filesize
132KB

Download
memory/532-122-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/532-123-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/532-114-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2200-126-0x0000000000000000-mapping.dmp

Download
memory/2360-142-0x0000000009070000-0x0000000009071000-memory.dmp

Filesize
4KB

Download
memory/2360-141-0x0000000006AA0000-0x0000000006AAB000-memory.dmp

Filesize
44KB

Download
memory/2360-140-0x0000000004F00000-0x00000000053FE000-memory.dmp

Filesize
5.0MB

Download
memory/2360-127-0x0000000000000000-mapping.dmp

Download
memory/2360-135-0x0000000004F00000-0x00000000053FE000-memory.dmp

Filesize
5.0MB

Download
memory/2784-144-0x000000000040837E-mapping.dmp

Download
memory/2784-143-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2784-167-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/2784-165-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/3572-151-0x0000000000000000-mapping.dmp

Download
memory/3572-154-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3912-125-0x0000000000000000-mapping.dmp

Download
memory/4036-158-0x0000000000000000-mapping.dmp

Download