njrat | 303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

General

Target

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Size

342KB
MD5

ab09790ec8dbb4c257d8a7c0f3a49943
SHA1

1b45a0349f77c7e07b725d32a5a32e80c00eef24
SHA256

303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106
SHA512

b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3

Score

10^/10

njrat bayramm evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BAYRAMM

C2

cihan05.duckdns.org:1981

Mutex

47da9b71ec9839dd4ca48977f70dcfda

Attributes

reg_key
47da9b71ec9839dd4ca48977f70dcfda
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

tmp.exechorme.exe

pid process

3488 tmp.exe
2192 chorme.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3488	tmp.exe
2192	chorme.exe

Drops startup file 1 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorme.exe.lnk	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

description pid process target process

PID 2384 set thread context of 2192 2384 303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe chorme.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2508 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier cmd.exe

description	pid	process	target process
PID 2384 set thread context of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe

pid	process
2508	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\chorme\chorme.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

pid	process
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
Token: SeDebugPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe
Token: 33	3488	tmp.exe
Token: SeIncBasePriorityPrivilege	3488	tmp.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

303424A6536EEDB027734B0557A32A064CEB0ED35F225.execmd.execmd.exetmp.exe

description	pid	process	target process
PID 2384 wrote to memory of 2568	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 2384 wrote to memory of 2568	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 2384 wrote to memory of 2568	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 2568 wrote to memory of 2708	2568	cmd.exe	reg.exe
PID 2568 wrote to memory of 2708	2568	cmd.exe	reg.exe
PID 2568 wrote to memory of 2708	2568	cmd.exe	reg.exe
PID 2384 wrote to memory of 3488	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 2384 wrote to memory of 3488	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 2384 wrote to memory of 3488	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	tmp.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 2192	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	chorme.exe
PID 2384 wrote to memory of 3640	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 2384 wrote to memory of 3640	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 2384 wrote to memory of 3640	2384	303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe	cmd.exe
PID 3640 wrote to memory of 2508	3640	cmd.exe	timeout.exe
PID 3640 wrote to memory of 2508	3640	cmd.exe	timeout.exe
PID 3640 wrote to memory of 2508	3640	cmd.exe	timeout.exe
PID 3488 wrote to memory of 3988	3488	tmp.exe	netsh.exe
PID 3488 wrote to memory of 3988	3488	tmp.exe	netsh.exe
PID 3488 wrote to memory of 3988	3488	tmp.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe
"C:\Users\Admin\AppData\Local\Temp\303424A6536EEDB027734B0557A32A064CEB0ED35F225.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.lnk" /f
3⤵
PID:2708

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE
3⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\chorme.exe
"C:\Users\Admin\AppData\Local\Temp\chorme.exe"
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chorme.exe
MD5
810be04867d847b702dd5fa163cb0a66

SHA1
fb2a355f356660ba494e70af002d6a728fe64aa7

SHA256
e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19

SHA512
b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981

Download Submit
C:\Users\Admin\AppData\Local\Temp\chorme.exe
MD5
810be04867d847b702dd5fa163cb0a66

SHA1
fb2a355f356660ba494e70af002d6a728fe64aa7

SHA256
e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19

SHA512
b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981

Download Submit
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe
MD5
ab09790ec8dbb4c257d8a7c0f3a49943

SHA1
1b45a0349f77c7e07b725d32a5a32e80c00eef24

SHA256
303424a6536eedb027734b0557a32a064ceb0ed35f225d3f434a010fa13fe106

SHA512
b420c0e0064de4038ad332316168e59ab88a6ffd63c5ccc1eb36c7b29a2b449591fc0af0557399e9677d8a503302c9e50ccf060f56e7c971cfe0d6ebeb814db3

Download Submit
C:\Users\Admin\AppData\Roaming\chorme\chorme.exe.bat
MD5
07ce0d8ff0a8ea3093a6ed6b32e06201

SHA1
8d4469b75a39cb88db7e98afab6cfdc7248a2b1f

SHA256
e3bef7bc47b06572214a9f04b0e573268a1837c1db293e92f21f50f36516e926

SHA512
23db28dcbad04b544ee18b1e3dbd1ba40378721c6494bec9788572c3f31ba54eb2223a7b0e86d604ef6ae711c4a91cc9c340d67bfefe89b62e4bd991d998ab60

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
MD5
7809d89aebc16107af640aecfda94430

SHA1
c00d9323e6c029998f9efdb3d51c1038ea138b42

SHA256
dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

SHA512
915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
MD5
7809d89aebc16107af640aecfda94430

SHA1
c00d9323e6c029998f9efdb3d51c1038ea138b42

SHA256
dd29ac9bdbf4cc14ac684211f09c767c32a9ec2227a3be67b989757912dce611

SHA512
915fcf46559b2b417e13055c0b3b137f72562566d0de795c6851d2b59ee19e694208d2ccd990f64828f270353a1e716c099643b6ab9ed7ea1be55a8db48d122e

Download Submit
memory/2192-128-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2192-123-0x000000000040748E-mapping.dmp

Download
memory/2384-115-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2508-130-0x0000000000000000-mapping.dmp

Download
memory/2568-116-0x0000000000000000-mapping.dmp

Download
memory/2708-117-0x0000000000000000-mapping.dmp

Download
memory/3488-119-0x0000000000000000-mapping.dmp

Download
memory/3488-127-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3640-126-0x0000000000000000-mapping.dmp

Download
memory/3988-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads