njrat | 303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

General

Target

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Size

342KB
MD5

ab09790ec8dbb4c257d8a7c0f3a49943
SHA1

1b45a0349f77c7e07b725d32a5a32e80c00eef24
SHA256

303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
SHA512

b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3

Score

10^/10

njrat bayramm evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BAYRAMM

C2

cihan05.duckdns.org:1981

Mutex

47da9b71ec9839dd4ca48977f70dcfda

Attributes

reg_key
47da9b71ec9839dd4ca48977f70dcfda
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

tmp.exechorme.exe

pid process

1156 tmp.exe
1968 chorme.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1156	tmp.exe
1968	chorme.exe

Drops startup file 1 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

Loads dropped DLL 2 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

pid process

1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

description pid process target process

PID 1832 set thread context of 1968 1832 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1636 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier cmd.exe

description	pid	process	target process
PID 1832 set thread context of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe

pid	process
1636	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

pid	process
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Token: SeDebugPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe
Token: 33	1156	tmp.exe
Token: SeIncBasePriorityPrivilege	1156	tmp.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exe

description	pid	process	target process
PID 1832 wrote to memory of 2012	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 1832 wrote to memory of 2012	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 1832 wrote to memory of 2012	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 1832 wrote to memory of 2012	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 2012 wrote to memory of 2032	2012	cmd.exe	reg.exe
PID 2012 wrote to memory of 2032	2012	cmd.exe	reg.exe
PID 2012 wrote to memory of 2032	2012	cmd.exe	reg.exe
PID 2012 wrote to memory of 2032	2012	cmd.exe	reg.exe
PID 1832 wrote to memory of 1156	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 1832 wrote to memory of 1156	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 1832 wrote to memory of 1156	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 1832 wrote to memory of 1156	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 1968	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 1832 wrote to memory of 992	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 1832 wrote to memory of 992	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 1832 wrote to memory of 992	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 1832 wrote to memory of 992	1832	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 992 wrote to memory of 1636	992	cmd.exe	timeout.exe
PID 992 wrote to memory of 1636	992	cmd.exe	timeout.exe
PID 992 wrote to memory of 1636	992	cmd.exe	timeout.exe
PID 992 wrote to memory of 1636	992	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1208	1156	tmp.exe	netsh.exe
PID 1156 wrote to memory of 1208	1156	tmp.exe	netsh.exe
PID 1156 wrote to memory of 1208	1156	tmp.exe	netsh.exe
PID 1156 wrote to memory of 1208	1156	tmp.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
"C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f
3⤵
PID:2032

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE
3⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\chorme.exe
"C:\Users\Admin\AppData\Local\Temp\chorme.exe"
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chorme.exe
MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\chorme.exe
MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe
MD5
ab09790ec8dbb4c257d8a7c0f3a49943

SHA1
1b45a0349f77c7e07b725d32a5a32e80c00eef24

SHA256
303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

SHA512
b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3

Download Submit
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat
MD5
07ce0d8ff0a8ea3093a6ed6b32e06201

SHA1
8d4469b75a39cb88db7e98afab6cfdc7248a2b1f

SHA256
e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926

SHA512
23db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
MD5
7809d89aebc16107af640aecfda94430

SHA1
c00d9323e6c029998f9efdb3d51c1038ea138b42

SHA256
dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

SHA512
915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
MD5
7809d89aebc16107af640aecfda94430

SHA1
c00d9323e6c029998f9efdb3d51c1038ea138b42

SHA256
dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

SHA512
915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

Download Submit
\Users\Admin\AppData\Local\Temp\chorme.exe
MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe
MD5
7809d89aebc16107af640aecfda94430

SHA1
c00d9323e6c029998f9efdb3d51c1038ea138b42

SHA256
dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

SHA512
915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

Download Submit
memory/992-80-0x0000000000000000-mapping.dmp

Download
memory/1156-66-0x0000000000000000-mapping.dmp

Download
memory/1156-83-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1208-85-0x0000000000000000-mapping.dmp

Download
memory/1636-82-0x0000000000000000-mapping.dmp

Download
memory/1832-60-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1832-61-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1968-72-0x000000000040748E-mapping.dmp

Download
memory/1968-74-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/1968-77-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/1968-84-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2012-62-0x0000000000000000-mapping.dmp

Download
memory/2032-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads