njrat | 7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

General

Target

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Size

450KB
MD5

103aa6d5669a9f0246d44a5fadb767cd
SHA1

b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
SHA256

7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
SHA512

9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Score

10^/10

njrat quran persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Quran

C2

165.227.31.192:22867

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

528 Payload.exe

pid	process
528	Payload.exe

Drops startup file 5 IoCs

Processes:

Payload.exeattrib.exe7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Loads dropped DLL 1 IoCs

Processes:

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe

pid process

1336 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe

pid	process
1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payload.exe7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exe

description	pid	process
Token: SeDebugPrivilege	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Token: SeDebugPrivilege	528	Payload.exe
Token: 33	528	Payload.exe
Token: SeIncBasePriorityPrivilege	528	Payload.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exe

description	pid	process	target process
PID 1336 wrote to memory of 528	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 1336 wrote to memory of 528	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 1336 wrote to memory of 528	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 1336 wrote to memory of 528	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 1336 wrote to memory of 1064	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 1336 wrote to memory of 1064	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 1336 wrote to memory of 1064	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 1336 wrote to memory of 1064	1336	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 528 wrote to memory of 1880	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1880	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1880	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1880	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1684	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1684	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1684	528	Payload.exe	attrib.exe
PID 528 wrote to memory of 1684	528	Payload.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1064 attrib.exe
1880 attrib.exe
1684 attrib.exe

pid	process
1064	attrib.exe
1880	attrib.exe
1684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
"C:\Users\Admin\AppData\Local\Temp\7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1880

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
3⤵
- Views/modifies file attributes
PID:1684

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Views/modifies file attributes
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
b9622246a2ed61171999ee678f6cc470

SHA1
947ec795fbe97ce8c9b4622b456353716faceefa

SHA256
bb8e11992d8f89c50638b95705372a1d5d136784844ccdb98e44ceb79af96056

SHA512
102f07473a2ee840f197e8279042b7e5f591d85d238d8ed8a11309f9ed3a6b7f54771a9d163b326ac74f7ac7f411d1114f42e938599ce4d11caaf3cd4b881d1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
f6cb7b462491f3bd6758b9848a25fa09

SHA1
13875fca8b81fcc40cff20a9337d04d704adbaac

SHA256
8e1c016974f9f54989bacb9ee970508471d3dec83d0938a41c718bee667077df

SHA512
3d86c05351743f0ba38e843f4022e2931bede4a273dfd1d257eff420d1329d998f6619209023033d8185743249f0bfd7ff50d0e5cd6bc2b065698aca303727f9

Download Submit
\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
memory/528-59-0x0000000000000000-mapping.dmp

Download
memory/528-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/528-66-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1064-61-0x0000000000000000-mapping.dmp

Download
memory/1336-57-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/1336-56-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1336-53-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1336-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1684-71-0x0000000000000000-mapping.dmp

Download
memory/1880-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads