njrat | 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e

General

Target

4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe
Size

1.7MB
MD5

a2f35e38f6b100b91d0ddab680538d39
SHA1

1c81b383748ec30678d96c3aea78fbd08fbbb923
SHA256

4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e
SHA512

84ed35e114e7391f543f5f1eedde59f7bfc05117d96c7ad299ba54828097bc4c5abc6488cd0eaae971a7c09792e510c66b52cff842be992f0bc1aaac1639f615

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

91.213.44.57:9

Mutex

f227f14b70512c480fba70d41029f780

Attributes

reg_key
f227f14b70512c480fba70d41029f780
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

EasyAutoClicker.exeServer.exeLocal Security Authority Proccess.exe

pid process

1172 EasyAutoClicker.exe
2012 Server.exe
1268 Local Security Authority Proccess.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1172	EasyAutoClicker.exe
2012	Server.exe
1268	Local Security Authority Proccess.exe

Drops startup file 2 IoCs

Processes:

Local Security Authority Proccess.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f227f14b70512c480fba70d41029f780.exe	Local Security Authority Proccess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f227f14b70512c480fba70d41029f780.exe	Local Security Authority Proccess.exe

Loads dropped DLL 2 IoCs

Processes:

4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe

pid	process
1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe
1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Local Security Authority Proccess.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\f227f14b70512c480fba70d41029f780 = "\"C:\\Windows\\Local Security Authority Proccess.exe\" .."	Local Security Authority Proccess.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f227f14b70512c480fba70d41029f780 = "\"C:\\Windows\\Local Security Authority Proccess.exe\" .."	Local Security Authority Proccess.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe

pid process

1948 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe	autoit_exe

Drops file in Windows directory 3 IoCs

Processes:

Local Security Authority Proccess.exeServer.exe

description	ioc	process
File opened for modification	C:\Windows\Local Security Authority Proccess.exe	Local Security Authority Proccess.exe
File created	C:\Windows\Local Security Authority Proccess.exe	Server.exe
File opened for modification	C:\Windows\Local Security Authority Proccess.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Local Security Authority Proccess.exe

pid	process
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe
1268	Local Security Authority Proccess.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

EasyAutoClicker.exeLocal Security Authority Proccess.exe

pid process

1172 EasyAutoClicker.exe
1268 Local Security Authority Proccess.exe

pid	process
1172	EasyAutoClicker.exe
1268	Local Security Authority Proccess.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Local Security Authority Proccess.exe

description	pid	process
Token: SeDebugPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe
Token: 33	1268	Local Security Authority Proccess.exe
Token: SeIncBasePriorityPrivilege	1268	Local Security Authority Proccess.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe

pid process

1948 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exeServer.exeLocal Security Authority Proccess.exe

description	pid	process	target process
PID 1948 wrote to memory of 1172	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	EasyAutoClicker.exe
PID 1948 wrote to memory of 1172	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	EasyAutoClicker.exe
PID 1948 wrote to memory of 1172	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	EasyAutoClicker.exe
PID 1948 wrote to memory of 1172	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	EasyAutoClicker.exe
PID 1948 wrote to memory of 2012	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	Server.exe
PID 1948 wrote to memory of 2012	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	Server.exe
PID 1948 wrote to memory of 2012	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	Server.exe
PID 1948 wrote to memory of 2012	1948	4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe	Server.exe
PID 2012 wrote to memory of 1268	2012	Server.exe	Local Security Authority Proccess.exe
PID 2012 wrote to memory of 1268	2012	Server.exe	Local Security Authority Proccess.exe
PID 2012 wrote to memory of 1268	2012	Server.exe	Local Security Authority Proccess.exe
PID 2012 wrote to memory of 1268	2012	Server.exe	Local Security Authority Proccess.exe
PID 1268 wrote to memory of 816	1268	Local Security Authority Proccess.exe	netsh.exe
PID 1268 wrote to memory of 816	1268	Local Security Authority Proccess.exe	netsh.exe
PID 1268 wrote to memory of 816	1268	Local Security Authority Proccess.exe	netsh.exe
PID 1268 wrote to memory of 816	1268	Local Security Authority Proccess.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe
"C:\Users\Admin\AppData\Local\Temp\4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe
"C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1172

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\Local Security Authority Proccess.exe
"C:\Windows\Local Security Authority Proccess.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Local Security Authority Proccess.exe" "Local Security Authority Proccess.exe" ENABLE
4⤵
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe
MD5
1e2b54d571f2dfcd7fe3f0d2b2420693

SHA1
4f7e8fbe98610450e0104e7204993df3c37c0f87

SHA256
69d2d487c7a6f63665ccf78d49313ec6def92102bc06fe22f7a8f44f1a1f009c

SHA512
f961471b11c53097a25c3b3324c7fe968cbf50db352e3f5859988318c347f376ea8703a9cc12f2fd424e335656016626f873bf146d018cbf123465320df8bde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe
MD5
1e2b54d571f2dfcd7fe3f0d2b2420693

SHA1
4f7e8fbe98610450e0104e7204993df3c37c0f87

SHA256
69d2d487c7a6f63665ccf78d49313ec6def92102bc06fe22f7a8f44f1a1f009c

SHA512
f961471b11c53097a25c3b3324c7fe968cbf50db352e3f5859988318c347f376ea8703a9cc12f2fd424e335656016626f873bf146d018cbf123465320df8bde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a8b14016bd5f88f25a5c7dc78848b3c2

SHA1
ff8e84b56429ee6d8bd907fb1f510f31dc510ab2

SHA256
4373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2

SHA512
c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a8b14016bd5f88f25a5c7dc78848b3c2

SHA1
ff8e84b56429ee6d8bd907fb1f510f31dc510ab2

SHA256
4373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2

SHA512
c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5

Download Submit
C:\Windows\Local Security Authority Proccess.exe
MD5
a8b14016bd5f88f25a5c7dc78848b3c2

SHA1
ff8e84b56429ee6d8bd907fb1f510f31dc510ab2

SHA256
4373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2

SHA512
c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5

Download Submit
C:\Windows\Local Security Authority Proccess.exe
MD5
a8b14016bd5f88f25a5c7dc78848b3c2

SHA1
ff8e84b56429ee6d8bd907fb1f510f31dc510ab2

SHA256
4373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2

SHA512
c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5

Download Submit
\Users\Admin\AppData\Local\Temp\EasyAutoClicker.exe
MD5
1e2b54d571f2dfcd7fe3f0d2b2420693

SHA1
4f7e8fbe98610450e0104e7204993df3c37c0f87

SHA256
69d2d487c7a6f63665ccf78d49313ec6def92102bc06fe22f7a8f44f1a1f009c

SHA512
f961471b11c53097a25c3b3324c7fe968cbf50db352e3f5859988318c347f376ea8703a9cc12f2fd424e335656016626f873bf146d018cbf123465320df8bde7

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a8b14016bd5f88f25a5c7dc78848b3c2

SHA1
ff8e84b56429ee6d8bd907fb1f510f31dc510ab2

SHA256
4373409eada277ee5d3e6cd4c3f5b3f08c36595874f8295787beeb7f49b9ede2

SHA512
c8bf0fd6152ffaf08d34d154fe0ff11de3659598727824e41253ecd51772cd19e46da40edba9d8c5574b4bbe9dbb9078133f52b6116d9b504ea6d2c5396d2ca5

Download Submit
memory/816-77-0x0000000000000000-mapping.dmp

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1268-72-0x0000000000000000-mapping.dmp

Download
memory/1268-76-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1948-60-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2012-66-0x0000000000000000-mapping.dmp

Download
memory/2012-71-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads