njrat | 8d09712c6f3ed0173113b57d0835b1b7d32f2ee008143a6bdec9390aee412c57

Analysis

max time kernel
151s
max time network
134s
platform
windows10_x64
resource
win10-en-20210920
submitted
08-10-2021 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
Size

22.1MB
MD5

c8b74e3eb7f08d7f22a5979b6035db99
SHA1

9a240b60ed6fa9593b3581a98a97d73e9bcf313d
SHA256

8d09712c6f3ed0173113b57d0835b1b7d32f2ee008143a6bdec9390aee412c57
SHA512

e54bced3674f53ba056ae35284777241a48b62948ae116cdedbdf4136b4fbe27460956854718e8160fadd36509817e11ada10bd56927e4b83f41af5411a074c1

Score

10^/10

njrat mnc7.6 evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MNC7.6

ddnsrtm.ddns.net:5552

Mutex

f32485db280ee39a17bf49b4a2d24db6

Attributes

reg_key
f32485db280ee39a17bf49b4a2d24db6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 5 IoCs

Processes:

m2964.exemanyc5m.exemncc64.exeManyCam.exesvchost.exe

pid process

3096 m2964.exe
956 manyc5m.exe
2416 mncc64.exe
4044 ManyCam.exe
2608 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3096	m2964.exe
956	manyc5m.exe
2416	mncc64.exe
4044	ManyCam.exe
2608	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ManyCam.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ManyCam.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ManyCam.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine ManyCam.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine	ManyCam.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\f32485db280ee39a17bf49b4a2d24db6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f32485db280ee39a17bf49b4a2d24db6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

manyc5m.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ManyCam\ManyCam.exe	manyc5m.exe
File opened for modification	C:\Program Files (x86)\ManyCam	manyc5m.exe
File created	C:\Program Files (x86)\ManyCam\__tmp_rar_sfx_access_check_259371953	manyc5m.exe
File created	C:\Program Files (x86)\ManyCam\ManyCam.exe	manyc5m.exe

Drops file in Windows directory 10 IoCs

Processes:

8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exem2964.exe

description	ioc	process
File created	C:\Windows\manyc5m.exe	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
File opened for modification	C:\Windows\manyc5m.exe	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259371421	m2964.exe
File created	C:\Windows\29.vbs	m2964.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259369812	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
File opened for modification	C:\Windows\m2964.exe	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
File opened for modification	C:\Windows\29.vbs	m2964.exe
File created	C:\Windows\mncc64.exe	m2964.exe
File opened for modification	C:\Windows\mncc64.exe	m2964.exe
File created	C:\Windows\m2964.exe	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

m2964.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings m2964.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	m2964.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe
Token: 33	2608	svchost.exe
Token: SeIncBasePriorityPrivilege	2608	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exem2964.exemanyc5m.exemncc64.exesvchost.exe

description	pid	process	target process
PID 2492 wrote to memory of 3096	2492	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe	m2964.exe
PID 2492 wrote to memory of 3096	2492	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe	m2964.exe
PID 2492 wrote to memory of 3096	2492	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe	m2964.exe
PID 3096 wrote to memory of 1200	3096	m2964.exe	WScript.exe
PID 3096 wrote to memory of 1200	3096	m2964.exe	WScript.exe
PID 3096 wrote to memory of 1200	3096	m2964.exe	WScript.exe
PID 2492 wrote to memory of 956	2492	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe	manyc5m.exe
PID 2492 wrote to memory of 956	2492	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe	manyc5m.exe
PID 2492 wrote to memory of 956	2492	8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe	manyc5m.exe
PID 3096 wrote to memory of 2416	3096	m2964.exe	mncc64.exe
PID 3096 wrote to memory of 2416	3096	m2964.exe	mncc64.exe
PID 3096 wrote to memory of 2416	3096	m2964.exe	mncc64.exe
PID 956 wrote to memory of 4044	956	manyc5m.exe	ManyCam.exe
PID 956 wrote to memory of 4044	956	manyc5m.exe	ManyCam.exe
PID 956 wrote to memory of 4044	956	manyc5m.exe	ManyCam.exe
PID 2416 wrote to memory of 2608	2416	mncc64.exe	svchost.exe
PID 2416 wrote to memory of 2608	2416	mncc64.exe	svchost.exe
PID 2416 wrote to memory of 2608	2416	mncc64.exe	svchost.exe
PID 2608 wrote to memory of 2456	2608	svchost.exe	netsh.exe
PID 2608 wrote to memory of 2456	2608	svchost.exe	netsh.exe
PID 2608 wrote to memory of 2456	2608	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe
"C:\Users\Admin\AppData\Local\Temp\8D09712C6F3ED0173113B57D0835B1B7D32F2EE008143.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\m2964.exe
"C:\Windows\m2964.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\29.vbs"
3⤵
PID:1200

C:\Windows\mncc64.exe
"C:\Windows\mncc64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
5⤵
PID:2456

C:\Windows\manyc5m.exe
"C:\Windows\manyc5m.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:956

C:\Program Files (x86)\ManyCam\ManyCam.exe
"C:\Program Files (x86)\ManyCam\ManyCam.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
PID:4044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ManyCam\ManyCam.exe

MD5
ecd3ec2aba759770e129440aa5985c96

SHA1
97953d72151bcaa2e3c4fdddc7880fcca941c326

SHA256
961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

SHA512
8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

Download Submit
C:\Program Files (x86)\ManyCam\ManyCam.exe

MD5
ecd3ec2aba759770e129440aa5985c96

SHA1
97953d72151bcaa2e3c4fdddc7880fcca941c326

SHA256
961d70674bb999ed28f222dd87ca796f92f8d51c0b4a6473dc2c5dc12e6fbda4

SHA512
8a51cb136ef38123c257b6406f7d1e762454cbe19f2db712d9ca935b1ef3c5d518d808dd395730afee4f6eff1df7edd235148ef0716791fce2c73b069929f5e2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

MD5
5e8442e948b384d2c205a784a1b99e8f

SHA1
b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

SHA256
a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

SHA512
b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

MD5
5e8442e948b384d2c205a784a1b99e8f

SHA1
b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

SHA256
a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

SHA512
b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

Download Submit
C:\Windows\29.vbs

MD5
075b46ba25b7801dd128da786f8f5b84

SHA1
c18dda8bcc9607fd605223c66a7c733f288b38c7

SHA256
732677effcbb076611beccb4e258acf5917d18e237b113204222f816dc7736fa

SHA512
d90bf50a146b0d481c36462a075d0c2a118accdba28ebbdcfd13164fcefdb369c51b97f89a4a6489d1ca8eaa4282f0654c9ac4c46c6badc15eaf87c33693459b

Download Submit
C:\Windows\m2964.exe

MD5
d26080d79bc91999c0cf59e59533905b

SHA1
69f8528b78a2ff8607391ebc70153531c34e327b

SHA256
813529161d892d292ab69661c7db138432ce39d412b493ebb5baf21abcfd2f25

SHA512
e820af1ed8c7e8c806f267af49eb6918947f745b54cfe17cb53ea4314a0a31516088b998b275e61b805264f2156d34150b0753473f28e5adbc003b27514900ba

Download Submit
C:\Windows\m2964.exe

MD5
d26080d79bc91999c0cf59e59533905b

SHA1
69f8528b78a2ff8607391ebc70153531c34e327b

SHA256
813529161d892d292ab69661c7db138432ce39d412b493ebb5baf21abcfd2f25

SHA512
e820af1ed8c7e8c806f267af49eb6918947f745b54cfe17cb53ea4314a0a31516088b998b275e61b805264f2156d34150b0753473f28e5adbc003b27514900ba

Download Submit
C:\Windows\manyc5m.exe

MD5
ffb0bcca45bd134426dc2ccc19599ce6

SHA1
0ecf6d8754315406b533d26a0f42b3518562a4ce

SHA256
f125fe67c68ab8d18b18ddc14a0d61cb034f2ef0936344b7edfdfe641633a8fe

SHA512
403e861d87fcc07bfe704dc77b3b700e01d7e958d65465a97bf3566616607bad39239f3b45684a4a9ac27e99a8c356213619812fa4ef47d92be11559239af0ad

Download Submit
C:\Windows\manyc5m.exe

MD5
ffb0bcca45bd134426dc2ccc19599ce6

SHA1
0ecf6d8754315406b533d26a0f42b3518562a4ce

SHA256
f125fe67c68ab8d18b18ddc14a0d61cb034f2ef0936344b7edfdfe641633a8fe

SHA512
403e861d87fcc07bfe704dc77b3b700e01d7e958d65465a97bf3566616607bad39239f3b45684a4a9ac27e99a8c356213619812fa4ef47d92be11559239af0ad

Download Submit
C:\Windows\mncc64.exe

MD5
5e8442e948b384d2c205a784a1b99e8f

SHA1
b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

SHA256
a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

SHA512
b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

Download Submit
C:\Windows\mncc64.exe

MD5
5e8442e948b384d2c205a784a1b99e8f

SHA1
b38f50e5f653457c4740427d4a0aeb19a1c1c5d3

SHA256
a013e1dccfa46a4dc619e601da6a0e4d6dae00394fb318d6d806094cb6e702a3

SHA512
b141fe353492606ae1a1f3bb7c89bce1f12ae797846626a38eaa155a352c5ad0b5c7eca7824fcb9dc0523289bd5437463ebf64d55b9939e4fa82385a1e952857

Download Submit
memory/956-119-0x0000000000000000-mapping.dmp

Download
memory/1200-118-0x0000000000000000-mapping.dmp

Download
memory/2416-122-0x0000000000000000-mapping.dmp

Download
memory/2416-126-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2456-134-0x0000000000000000-mapping.dmp

Download
memory/2608-130-0x0000000000000000-mapping.dmp

Download
memory/2608-133-0x0000000002901000-0x0000000002902000-memory.dmp

Filesize
4KB

Download
memory/3096-115-0x0000000000000000-mapping.dmp

Download
memory/4044-127-0x0000000000000000-mapping.dmp

Download