njrat | 3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e

General

Target

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Size

295KB
MD5

1b2563bac18f9d04cc3f177fc375ca79
SHA1

c4cad0cdecf5ce9cfa247fa448f074a9b568d688
SHA256

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e
SHA512

dbe1440a5c39fbb9f562061691ffe875db0e2159b9f8ffa97f3c2795a8dd129e8a0d830e22b40ceae5ee3a423e8005f110d5db704480ef44de76cc0e1569dcc6

Score

10^/10

njrat @ west - hacking k.s.a @ persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

@ WeSt - HaCkInG K.S.A @

C2

w187.ddns.net:22

Mutex

Intel HD Graphics Drivers for Windows(R)

Attributes

reg_key
Intel HD Graphics Drivers for Windows(R)
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exe

pid process

868 Intel HD Graphics Drivers for Windows(R).exe
1856 Intel HD Graphics Drivers for Windows(R).exe

pid	process
868	Intel HD Graphics Drivers for Windows(R).exe
1856	Intel HD Graphics Drivers for Windows(R).exe

Drops startup file 4 IoCs

Processes:

Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk	Intel HD Graphics Drivers for Windows(R).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk	Intel HD Graphics Drivers for Windows(R).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe

Loads dropped DLL 2 IoCs

Processes:

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exeIntel HD Graphics Drivers for Windows(R).exe

pid process

1812 3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
868 Intel HD Graphics Drivers for Windows(R).exe

pid	process
1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
868	Intel HD Graphics Drivers for Windows(R).exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Intel HD Graphics Drivers for Windows(R).exe"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R) = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R) = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exeIntel HD Graphics Drivers for Windows(R).exe

description	pid	process
Token: SeDebugPrivilege	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Token: 33	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Token: SeIncBasePriorityPrivilege	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Token: SeDebugPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1856	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1856	Intel HD Graphics Drivers for Windows(R).exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exeIntel HD Graphics Drivers for Windows(R).exe

description	pid	process	target process
PID 1812 wrote to memory of 868	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 1812 wrote to memory of 868	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 1812 wrote to memory of 868	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 1812 wrote to memory of 868	1812	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 868 wrote to memory of 1856	868	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 868 wrote to memory of 1856	868	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 868 wrote to memory of 1856	868	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 868 wrote to memory of 1856	868	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 868 wrote to memory of 1716	868	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe
PID 868 wrote to memory of 1716	868	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe
PID 868 wrote to memory of 1716	868	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe
PID 868 wrote to memory of 1716	868	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1716 attrib.exe

pid	process
1716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
"C:\Users\Admin\AppData\Local\Temp\3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
"C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
"C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"
3⤵
- Views/modifies file attributes
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk
MD5
c79cef9fefe51bb2fcb83c0bc5e4e08c

SHA1
5c40014d97263fc538522dacfd3cc29ef380ba16

SHA256
b90b7e061251a1812bbfeb3eaeff99ebd84ebf184dfbb04b4ee0e74168981eb1

SHA512
f958bd4bfc645e91d56d8d130a5b580dc92bd2a043f4437edb35f7166d4d40938883d99287cd4540ac9aea191bd5e6b51fe2d5ac0d74e672be7c5b73df14bb1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Intel HD Graphics Drivers for Windows(R).lnk
MD5
e59b0860d63dba75f05d8a94f0b5ed76

SHA1
1f7c506740ef42e2eda5fe8bc076c3938a5e87bb

SHA256
9e194497a3ff73ca518ef419095f5e41c56e0e2dc53e5040ad7fcd59f7b0c973

SHA512
d41dce19210388e180163ec83b53c71509086b694015ad8949c8b2fe386debf4ab7c08a3e2032a8b553da18d337a47013cfebac0e0b7432de889488b11c01830

Download Submit
\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
memory/868-68-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/868-67-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/868-64-0x0000000000000000-mapping.dmp

Download
memory/1716-74-0x0000000000000000-mapping.dmp

Download
memory/1812-60-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1812-62-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/1856-70-0x0000000000000000-mapping.dmp

Download
memory/1856-77-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads