njrat | a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016

General

Target

ad0f6231d44f6d0e08379256a3f765c0.exe
Size

432KB
MD5

ad0f6231d44f6d0e08379256a3f765c0
SHA1

765c2ba3990b9c2a603a0012dfac8e34e39eda38
SHA256

a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
SHA512

8bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0

Score

10^/10

njrat 2021 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2021

C2

aqq.linkpc.net:999

Mutex

a1776750d898d3976ceabc94432acfb1

Attributes

reg_key
a1776750d898d3976ceabc94432acfb1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

System64.exe

pid process

2232 System64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2232	System64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .."	System64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .."	System64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

System64.exe

description	pid	process
Token: SeDebugPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe
Token: 33	2232	System64.exe
Token: SeIncBasePriorityPrivilege	2232	System64.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ad0f6231d44f6d0e08379256a3f765c0.exeSystem64.exe

description	pid	process	target process
PID 504 wrote to memory of 2232	504	ad0f6231d44f6d0e08379256a3f765c0.exe	System64.exe
PID 504 wrote to memory of 2232	504	ad0f6231d44f6d0e08379256a3f765c0.exe	System64.exe
PID 2232 wrote to memory of 632	2232	System64.exe	netsh.exe
PID 2232 wrote to memory of 632	2232	System64.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ad0f6231d44f6d0e08379256a3f765c0.exe
"C:\Users\Admin\AppData\Local\Temp\ad0f6231d44f6d0e08379256a3f765c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Admin\AppData\Roaming\System64.exe
"C:\Users\Admin\AppData\Roaming\System64.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System64.exe" "System64.exe" ENABLE
3⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System64.exe
MD5
ad0f6231d44f6d0e08379256a3f765c0

SHA1
765c2ba3990b9c2a603a0012dfac8e34e39eda38

SHA256
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016

SHA512
8bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0

Download Submit
C:\Users\Admin\AppData\Roaming\System64.exe
MD5
ad0f6231d44f6d0e08379256a3f765c0

SHA1
765c2ba3990b9c2a603a0012dfac8e34e39eda38

SHA256
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016

SHA512
8bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0

Download Submit
memory/504-118-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/504-120-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/632-127-0x0000000000000000-mapping.dmp

Download
memory/2232-121-0x0000000000000000-mapping.dmp

Download
memory/2232-128-0x00000000016E0000-0x00000000016E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads