njrat | a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b

General

Target

a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe
Size

69KB
MD5

dd9fa20e95d785d15ea9f9ab178876d5
SHA1

4a926671cf12f506676d6cb13817e9a3fe2759f2
SHA256

a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b
SHA512

ec4734e0bc8a98701ce7f47999865d2acb2871f7df0d083c51c451b4c952b5b63e0da494df73656a5e549e973bd500a22c5d225bd8d9a1f6f6295702d1a52770

Score

10^/10

njrat @ hacking by dr west @evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

@ HaCkInG By Dr WeSt @

C2

w187.ddns.net:2020

Mutex

4ef9538b5a577a1bd3c1a578ea50c133

Attributes

reg_key
4ef9538b5a577a1bd3c1a578ea50c133
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

[Mr.Abu Hani].exeWindows Audio Device Graph Isolation .exe

pid process

2784 [Mr.Abu Hani].exe
3324 Windows Audio Device Graph Isolation .exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2784	[Mr.Abu Hani].exe
3324	Windows Audio Device Graph Isolation .exe

Drops startup file 2 IoCs

Processes:

Windows Audio Device Graph Isolation .exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ef9538b5a577a1bd3c1a578ea50c133.exe	Windows Audio Device Graph Isolation .exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ef9538b5a577a1bd3c1a578ea50c133.exe	Windows Audio Device Graph Isolation .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Windows Audio Device Graph Isolation .exe

description	pid	process
Token: SeDebugPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe
Token: 33	3324	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	3324	Windows Audio Device Graph Isolation .exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe[Mr.Abu Hani].exeWindows Audio Device Graph Isolation .exe

description	pid	process	target process
PID 2452 wrote to memory of 2784	2452	a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe	[Mr.Abu Hani].exe
PID 2452 wrote to memory of 2784	2452	a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe	[Mr.Abu Hani].exe
PID 2452 wrote to memory of 2784	2452	a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe	[Mr.Abu Hani].exe
PID 2784 wrote to memory of 3324	2784	[Mr.Abu Hani].exe	Windows Audio Device Graph Isolation .exe
PID 2784 wrote to memory of 3324	2784	[Mr.Abu Hani].exe	Windows Audio Device Graph Isolation .exe
PID 2784 wrote to memory of 3324	2784	[Mr.Abu Hani].exe	Windows Audio Device Graph Isolation .exe
PID 3324 wrote to memory of 3420	3324	Windows Audio Device Graph Isolation .exe	netsh.exe
PID 3324 wrote to memory of 3420	3324	Windows Audio Device Graph Isolation .exe	netsh.exe
PID 3324 wrote to memory of 3420	3324	Windows Audio Device Graph Isolation .exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe
"C:\Users\Admin\AppData\Local\Temp\a3d76879d36c9e33eff1bc48b4154b3ef1e4f6a1c32cc584086629bef2673a0b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe
"C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe
"C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe" "Windows Audio Device Graph Isolation .exe" ENABLE
4⤵
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe
MD5
1b6071dc1c6ca35c780dc5dcf5392ba3

SHA1
c331def6c09f8c82bc71826b9df035e8fcc5059d

SHA256
89a5182594c48407f4588d196d1a22dbed83f4a01023a9e5f6730f5b318ff721

SHA512
7b5d03b817025b423d0331a73bd32bb5ec2b5a6fa16bbf40c58695ee193c7dad66187b1574cadd59259799a6c80eabe4031e7d2ea9b22c9333c772d6e4b47c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe
MD5
1b6071dc1c6ca35c780dc5dcf5392ba3

SHA1
c331def6c09f8c82bc71826b9df035e8fcc5059d

SHA256
89a5182594c48407f4588d196d1a22dbed83f4a01023a9e5f6730f5b318ff721

SHA512
7b5d03b817025b423d0331a73bd32bb5ec2b5a6fa16bbf40c58695ee193c7dad66187b1574cadd59259799a6c80eabe4031e7d2ea9b22c9333c772d6e4b47c56

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe
MD5
1b6071dc1c6ca35c780dc5dcf5392ba3

SHA1
c331def6c09f8c82bc71826b9df035e8fcc5059d

SHA256
89a5182594c48407f4588d196d1a22dbed83f4a01023a9e5f6730f5b318ff721

SHA512
7b5d03b817025b423d0331a73bd32bb5ec2b5a6fa16bbf40c58695ee193c7dad66187b1574cadd59259799a6c80eabe4031e7d2ea9b22c9333c772d6e4b47c56

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe
MD5
1b6071dc1c6ca35c780dc5dcf5392ba3

SHA1
c331def6c09f8c82bc71826b9df035e8fcc5059d

SHA256
89a5182594c48407f4588d196d1a22dbed83f4a01023a9e5f6730f5b318ff721

SHA512
7b5d03b817025b423d0331a73bd32bb5ec2b5a6fa16bbf40c58695ee193c7dad66187b1574cadd59259799a6c80eabe4031e7d2ea9b22c9333c772d6e4b47c56

Download Submit
memory/2452-115-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2452-117-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2452-118-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/2784-119-0x0000000000000000-mapping.dmp

Download
memory/2784-122-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3324-123-0x0000000000000000-mapping.dmp

Download
memory/3324-126-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/3420-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads