njrat | 7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

General

Target

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Size

450KB
MD5

103aa6d5669a9f0246d44a5fadb767cd
SHA1

b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95
SHA256

7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a
SHA512

9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Score

10^/10

njrat quran persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Quran

C2

165.227.31.192:22867

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

576 Payload.exe

pid	process
576	Payload.exe

Drops startup file 5 IoCs

Processes:

Payload.exeattrib.exe7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exe

description pid process

Token: SeDebugPrivilege 664 7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Token: SeDebugPrivilege 576 Payload.exe

description	pid	process
Token: SeDebugPrivilege	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
Token: SeDebugPrivilege	576	Payload.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exePayload.exe

description	pid	process	target process
PID 664 wrote to memory of 576	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 664 wrote to memory of 576	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 664 wrote to memory of 576	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	Payload.exe
PID 664 wrote to memory of 420	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 664 wrote to memory of 420	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 664 wrote to memory of 420	664	7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe	attrib.exe
PID 576 wrote to memory of 3344	576	Payload.exe	attrib.exe
PID 576 wrote to memory of 3344	576	Payload.exe	attrib.exe
PID 576 wrote to memory of 3344	576	Payload.exe	attrib.exe
PID 576 wrote to memory of 784	576	Payload.exe	attrib.exe
PID 576 wrote to memory of 784	576	Payload.exe	attrib.exe
PID 576 wrote to memory of 784	576	Payload.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

420 attrib.exe
3344 attrib.exe
784 attrib.exe

pid	process
420	attrib.exe
3344	attrib.exe
784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe
"C:\Users\Admin\AppData\Local\Temp\7C38DA59F7862D189AC6E2D4959016D062C972D3C8940.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:3344

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
3⤵
- Views/modifies file attributes
PID:784

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Views/modifies file attributes
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
MD5
103aa6d5669a9f0246d44a5fadb767cd

SHA1
b01d65d6b11d48dcb75fbb7e02a6d23c6d675b95

SHA256
7c38da59f7862d189ac6e2d4959016d062c972d3c89408fe7e3602cb9f4a002a

SHA512
9ab37a961b186dbc4cbceb23c3a5b48017d825e831034214b580e6401956a90661ed82dbea9315f02320ea39185f927318e1758148e418960c53576399bbc8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
ccc1eae983999b18b05cdc4a9d39d334

SHA1
7f42d03d9a6bc8cdcc25464c97d5e37097772493

SHA256
f97ea25cffdfd921e7c81d80fcad6baa7918b643c24d010acfc65601db93e01a

SHA512
b2bc86a732c148d38d8c721b469a2159f653c7fd534ab4e3b5fc515c393a8651742e17a872daad6b0c61f8e7cc509fb0881567ac165ba7bdc98697260f879a58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
6e8424fdecfc98f2137488d080139a68

SHA1
727de20ac4b5717f0cc33b74499baa8949c5ef9a

SHA256
367ca209d93eb5a11e07266f051c2b8bcd3d1c6d347253952cc0e832d855a51b

SHA512
f6eec81cabf8b458c16c9df9a2d48dd8d48dce81c857e1806a8d55229058c7d74df6d50f34087a9d1734237ee1a98b14f8bcf0a731cd801fb1ad196dcd7001c7

Download Submit
memory/420-124-0x0000000000000000-mapping.dmp

Download
memory/576-137-0x000000000A960000-0x000000000A961000-memory.dmp

Filesize
4KB

Download
memory/576-121-0x0000000000000000-mapping.dmp

Download
memory/576-139-0x000000000ABA0000-0x000000000ABA1000-memory.dmp

Filesize
4KB

Download
memory/576-138-0x000000000A920000-0x000000000A921000-memory.dmp

Filesize
4KB

Download
memory/576-128-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/664-117-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/664-116-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/664-120-0x000000000B420000-0x000000000B421000-memory.dmp

Filesize
4KB

Download
memory/664-118-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/664-119-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/784-135-0x0000000000000000-mapping.dmp

Download
memory/3344-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads