njrat | 0454c97a761adc8d2565830844d8c03f55e32651d73f8f80c29298662b5a0aa9

General

Target

MultiCheat.exe
Size

3.4MB
MD5

8f7e29a97b6d01efe7323ff5fc2dcbf2
SHA1

86d46ea08c1f1235ee3bc8dbbf87e6238ddf1f69
SHA256

0454c97a761adc8d2565830844d8c03f55e32651d73f8f80c29298662b5a0aa9
SHA512

cbce3e95cde104f3a12eb36bdda3690a2a2be10b5493c25709a1974abc4030fb2976be4101b8e4bc5e007c3100293cc9089a2a03ee93c2f37d5926217a9757fd

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

agxagx.ddns.net:5522

Mutex

cc4335508602af55ea53358d6b4f135d

Attributes

reg_key
cc4335508602af55ea53358d6b4f135d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Tempagx.exeMicroSoft.exeTempagx.exe

pid process

1940 Tempagx.exe
1356 MicroSoft.exe
1068 Tempagx.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1940	Tempagx.exe
1356	MicroSoft.exe
1068	Tempagx.exe

Drops startup file 2 IoCs

Processes:

MicroSoft.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc4335508602af55ea53358d6b4f135d.exe	MicroSoft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc4335508602af55ea53358d6b4f135d.exe	MicroSoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicroSoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\cc4335508602af55ea53358d6b4f135d = "\"C:\\Users\\Admin\\AppData\\Roaming\\MicroSoft.exe\" .."	MicroSoft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc4335508602af55ea53358d6b4f135d = "\"C:\\Users\\Admin\\AppData\\Roaming\\MicroSoft.exe\" .."	MicroSoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2684 powershell.exe
2684 powershell.exe
2684 powershell.exe

pid	process
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

powershell.exeMicroSoft.exe

description	pid	process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe
Token: 33	1356	MicroSoft.exe
Token: SeIncBasePriorityPrivilege	1356	MicroSoft.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

MultiCheat.exeTempagx.exeMicroSoft.exe

description	pid	process	target process
PID 2160 wrote to memory of 2684	2160	MultiCheat.exe	powershell.exe
PID 2160 wrote to memory of 2684	2160	MultiCheat.exe	powershell.exe
PID 2160 wrote to memory of 2684	2160	MultiCheat.exe	powershell.exe
PID 2160 wrote to memory of 1940	2160	MultiCheat.exe	Tempagx.exe
PID 2160 wrote to memory of 1940	2160	MultiCheat.exe	Tempagx.exe
PID 2160 wrote to memory of 1940	2160	MultiCheat.exe	Tempagx.exe
PID 1940 wrote to memory of 1356	1940	Tempagx.exe	MicroSoft.exe
PID 1940 wrote to memory of 1356	1940	Tempagx.exe	MicroSoft.exe
PID 1940 wrote to memory of 1356	1940	Tempagx.exe	MicroSoft.exe
PID 2160 wrote to memory of 1068	2160	MultiCheat.exe	Tempagx.exe
PID 2160 wrote to memory of 1068	2160	MultiCheat.exe	Tempagx.exe
PID 2160 wrote to memory of 1068	2160	MultiCheat.exe	Tempagx.exe
PID 1356 wrote to memory of 392	1356	MicroSoft.exe	netsh.exe
PID 1356 wrote to memory of 392	1356	MicroSoft.exe	netsh.exe
PID 1356 wrote to memory of 392	1356	MicroSoft.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\MultiCheat.exe
"C:\Users\Admin\AppData\Local\Temp\MultiCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess tempagx.exe ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess Microsoft.exe ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess Microsofts.exe ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\ ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath D:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Users\Admin\AppData\Local\Tempagx.exe
"C:\Users\Admin\AppData\Local\Tempagx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\MicroSoft.exe
"C:\Users\Admin\AppData\Roaming\MicroSoft.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\MicroSoft.exe" "MicroSoft.exe" ENABLE
4⤵
PID:392

C:\Users\Admin\AppData\Local\Tempagx.exe
"C:\Users\Admin\AppData\Local\Tempagx.exe"
2⤵
- Executes dropped EXE
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tempagx.exe.log
MD5
4b1382f82cb506f36d30c01d5d515bca

SHA1
621aeafd1d115a27c71dd58c6211716c9640aba6

SHA256
d01a9a6d2f90166ffccd93ebf12c3ba6dd2ab12a9c047a6449d5968cc92d4200

SHA512
8700fd86011f3af3467ccb6c6d6c56f4004aada7a82186047dbba1cb01c3a2344213ecb1f1c67f3e20d269a79b0e61238b043a363047b050eecbd84bba4e65a5

Download Submit
C:\Users\Admin\AppData\Local\Tempagx.exe
MD5
a244bcc4ea1def56bb39df0d4f1623d7

SHA1
2d5ed47c3a0c398e44f281822f1494d5b9caa807

SHA256
b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348

SHA512
f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46

Download Submit
C:\Users\Admin\AppData\Local\Tempagx.exe
MD5
a244bcc4ea1def56bb39df0d4f1623d7

SHA1
2d5ed47c3a0c398e44f281822f1494d5b9caa807

SHA256
b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348

SHA512
f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46

Download Submit
C:\Users\Admin\AppData\Local\Tempagx.exe
MD5
a244bcc4ea1def56bb39df0d4f1623d7

SHA1
2d5ed47c3a0c398e44f281822f1494d5b9caa807

SHA256
b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348

SHA512
f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46

Download Submit
C:\Users\Admin\AppData\Local\Tempagx.exe
MD5
a244bcc4ea1def56bb39df0d4f1623d7

SHA1
2d5ed47c3a0c398e44f281822f1494d5b9caa807

SHA256
b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348

SHA512
f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46

Download Submit
C:\Users\Admin\AppData\Roaming\MicroSoft.exe
MD5
a244bcc4ea1def56bb39df0d4f1623d7

SHA1
2d5ed47c3a0c398e44f281822f1494d5b9caa807

SHA256
b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348

SHA512
f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46

Download Submit
C:\Users\Admin\AppData\Roaming\MicroSoft.exe
MD5
a244bcc4ea1def56bb39df0d4f1623d7

SHA1
2d5ed47c3a0c398e44f281822f1494d5b9caa807

SHA256
b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348

SHA512
f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46

Download Submit
memory/392-414-0x0000000000000000-mapping.dmp

Download
memory/1068-404-0x0000000000000000-mapping.dmp

Download
memory/1068-413-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1356-403-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/1356-395-0x0000000000000000-mapping.dmp

Download
memory/1940-230-0x0000000000000000-mapping.dmp

Download
memory/1940-344-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1940-236-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/1940-233-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2160-122-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/2160-121-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2160-343-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/2160-120-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/2160-119-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/2160-118-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2160-115-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2160-117-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2684-157-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/2684-227-0x00000000069E3000-0x00000000069E4000-memory.dmp

Filesize
4KB

Download
memory/2684-158-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/2684-152-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/2684-151-0x000000007EC40000-0x000000007EC41000-memory.dmp

Filesize
4KB

Download
memory/2684-144-0x0000000008D20000-0x0000000008D53000-memory.dmp

Filesize
204KB

Download
memory/2684-136-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/2684-135-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/2684-362-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/2684-368-0x00000000091E0000-0x00000000091E1000-memory.dmp

Filesize
4KB

Download
memory/2684-134-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2684-133-0x00000000069E2000-0x00000000069E3000-memory.dmp

Filesize
4KB

Download
memory/2684-132-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/2684-131-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/2684-130-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2684-129-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/2684-128-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2684-127-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/2684-126-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2684-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads