njrat | 3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e

General

Target

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Size

295KB
MD5

1b2563bac18f9d04cc3f177fc375ca79
SHA1

c4cad0cdecf5ce9cfa247fa448f074a9b568d688
SHA256

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e
SHA512

dbe1440a5c39fbb9f562061691ffe875db0e2159b9f8ffa97f3c2795a8dd129e8a0d830e22b40ceae5ee3a423e8005f110d5db704480ef44de76cc0e1569dcc6

Score

10^/10

njrat @ west - hacking k.s.a @ persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

@ WeSt - HaCkInG K.S.A @

C2

w187.ddns.net:22

Mutex

Intel HD Graphics Drivers for Windows(R)

Attributes

reg_key
Intel HD Graphics Drivers for Windows(R)
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exe

pid process

2740 Intel HD Graphics Drivers for Windows(R).exe
1216 Intel HD Graphics Drivers for Windows(R).exe

pid	process
2740	Intel HD Graphics Drivers for Windows(R).exe
1216	Intel HD Graphics Drivers for Windows(R).exe

Drops startup file 4 IoCs

Processes:

Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk	Intel HD Graphics Drivers for Windows(R).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk	Intel HD Graphics Drivers for Windows(R).exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Intel HD Graphics Drivers for Windows(R).exeIntel HD Graphics Drivers for Windows(R).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R) = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R) = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Intel HD Graphics Drivers for Windows(R).exe"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel HD Graphics Drivers for Windows(R)2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Intel HD Graphics Drivers for Windows(R).URL"	Intel HD Graphics Drivers for Windows(R).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exeIntel HD Graphics Drivers for Windows(R).exe

description	pid	process
Token: SeDebugPrivilege	2396	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Token: 33	2396	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Token: SeIncBasePriorityPrivilege	2396	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
Token: SeDebugPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: 33	1216	Intel HD Graphics Drivers for Windows(R).exe
Token: SeIncBasePriorityPrivilege	1216	Intel HD Graphics Drivers for Windows(R).exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exeIntel HD Graphics Drivers for Windows(R).exe

description	pid	process	target process
PID 2396 wrote to memory of 2740	2396	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 2396 wrote to memory of 2740	2396	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 2396 wrote to memory of 2740	2396	3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe	Intel HD Graphics Drivers for Windows(R).exe
PID 2740 wrote to memory of 1216	2740	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 2740 wrote to memory of 1216	2740	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 2740 wrote to memory of 1216	2740	Intel HD Graphics Drivers for Windows(R).exe	Intel HD Graphics Drivers for Windows(R).exe
PID 2740 wrote to memory of 2524	2740	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe
PID 2740 wrote to memory of 2524	2740	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe
PID 2740 wrote to memory of 2524	2740	Intel HD Graphics Drivers for Windows(R).exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2524 attrib.exe

pid	process
2524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe
"C:\Users\Admin\AppData\Local\Temp\3fa80717e65b1427908e08b6aab3d156143775bd15742b737b4272bc5b5ad80e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
"C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
"C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe"
3⤵
- Views/modifies file attributes
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Roaming\Intel HD Graphics Drivers for Windows(R).exe
MD5
f19f7b77300d578fe7f0304ee15bfae3

SHA1
89f17fcbf414876b65e555d8cf51ab8db4db132c

SHA256
7e9b32e715ed33aa05dbcf577876933ee43a0632ffcd95a50b23d612d82a88d1

SHA512
167c1c0e40105556068675f62fd06131864e7fa813d0575882c6d5ac60812ef42a348ee78d3fe11348fe1561e8beda72440030daaca1401b1ed314d70ffa128d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel HD Graphics Drivers for Windows(R).lnk
MD5
093b7280eb11ec3e0f865b5bd4c3e37e

SHA1
85ffd8ea5a32548a65c636621e0164946db8006f

SHA256
26f8e3b6a0a644394df617dfb3397c34093ba3a9aada5f6b2ff17226cb799167

SHA512
8fce0a825fbad833ec6bb4bfeb67ee893f28943aeac871163ccf10d5802929ceaad0221a86a3a9bb734cebbfdffe1d6b9b05c913b573fb082f138851d93cdf80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Intel HD Graphics Drivers for Windows(R).lnk
MD5
804a57fef1fb94a736eacfbab590d616

SHA1
928a0262876c6f9b04e0f271f3d39b74c02567ba

SHA256
4daa4a8ae2f66ad83a3372d8a791788d15bee61adfd5a427e09e0662a0a92a85

SHA512
1c0ecb05c8b10ba6f05bf256a3bf00deab1000d9002b7a928cda0ee0f0dd9b778231283c4a2883f9993817e65c8ddd492903c65366b129e3beda44c2acc0592d

Download Submit
memory/1216-124-0x0000000000000000-mapping.dmp

Download
memory/1216-130-0x00000000005C0000-0x000000000066E000-memory.dmp

Filesize
696KB

Download
memory/2396-119-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2396-118-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/2396-117-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2396-115-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2524-127-0x0000000000000000-mapping.dmp

Download
memory/2740-120-0x0000000000000000-mapping.dmp

Download
memory/2740-123-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads