njrat | 2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c

General

Target

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Size

662KB
MD5

51b5e9e7d1d63c1acd6df20dda31004a
SHA1

2a935b93c9135bb4d0d849c8219c453075bcdf47
SHA256

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c
SHA512

f91f54e994b898e96743ece7f61613301d78e398361d10bbd25c0b59e59bd75fe6a438adc8ce4ce20031fa2202d4c7a5239bbbf105aba8619b43717950b6a202

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

107.155.132.152:5552

Mutex

2b9f14c7f031fd1035abf9fa94c773ba

Attributes

reg_key
2b9f14c7f031fd1035abf9fa94c773ba
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\2b9f14c7f031fd1035abf9fa94c773ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe\" .."	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2b9f14c7f031fd1035abf9fa94c773ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe\" .."	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

description	pid	process	target process
PID 2164 set thread context of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3604 schtasks.exe

pid	process
3604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exepowershell.exe

pid	process
2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
4044	powershell.exe
2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
4044	powershell.exe
4044	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exepowershell.exe2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

description	pid	process
Token: SeDebugPrivilege	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: 33	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
Token: SeIncBasePriorityPrivilege	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe

description	pid	process	target process
PID 2164 wrote to memory of 4044	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	powershell.exe
PID 2164 wrote to memory of 4044	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	powershell.exe
PID 2164 wrote to memory of 4044	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	powershell.exe
PID 2164 wrote to memory of 3604	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	schtasks.exe
PID 2164 wrote to memory of 3604	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	schtasks.exe
PID 2164 wrote to memory of 3604	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	schtasks.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2164 wrote to memory of 2644	2164	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
PID 2644 wrote to memory of 3488	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	netsh.exe
PID 2644 wrote to memory of 3488	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	netsh.exe
PID 2644 wrote to memory of 3488	2644	2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
"C:\Users\Admin\AppData\Local\Temp\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VnuJgEcRT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VnuJgEcRT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D72.tmp"
2⤵
- Creates scheduled task(s)
PID:3604

C:\Users\Admin\AppData\Local\Temp\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe
"C:\Users\Admin\AppData\Local\Temp\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe" "2c6fae2182c59ef4cee6b63e29cf7fa66990e40ad5c22b6a469d3c935766202c.exe" ENABLE
3⤵
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3D72.tmp
MD5
fc6c452e6247c7aade00e2715b8c9ec9

SHA1
2a53938e8dd4f12028ae0d775e4430db623f9e1f

SHA256
faf2ac9cdcefe6b25518a01870c7ab72d3182217dc9b919658ab4a72c7764ecc

SHA512
5e8ed79dd3c679cf27f724ecdc32f252609a3ac1be3e6b4e42c1378c70e7f1f814c686e24434bed6617656b615b323163c853177d84c66c81384e3aee67e6d7f

Download Submit
memory/2164-125-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2164-127-0x0000000007170000-0x0000000007179000-memory.dmp

Filesize
36KB

Download
memory/2164-122-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2164-123-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/2164-124-0x0000000005660000-0x0000000005667000-memory.dmp

Filesize
28KB

Download
memory/2164-118-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2164-126-0x0000000007130000-0x000000000715A000-memory.dmp

Filesize
168KB

Download
memory/2164-121-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/2164-120-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/2644-140-0x000000000040747E-mapping.dmp

Download
memory/2644-388-0x0000000005690000-0x0000000005B8E000-memory.dmp

Filesize
5.0MB

Download
memory/2644-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3488-386-0x0000000000000000-mapping.dmp

Download
memory/3604-129-0x0000000000000000-mapping.dmp

Download
memory/4044-137-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/4044-149-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/4044-136-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/4044-134-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/4044-138-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/4044-133-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4044-131-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4044-145-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/4044-146-0x00000000083A0000-0x00000000083A1000-memory.dmp

Filesize
4KB

Download
memory/4044-147-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/4044-148-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/4044-135-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/4044-150-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4044-157-0x0000000009060000-0x0000000009093000-memory.dmp

Filesize
204KB

Download
memory/4044-164-0x0000000009040000-0x0000000009041000-memory.dmp

Filesize
4KB

Download
memory/4044-169-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/4044-170-0x0000000009580000-0x0000000009581000-memory.dmp

Filesize
4KB

Download
memory/4044-239-0x000000007F7D0000-0x000000007F7D1000-memory.dmp

Filesize
4KB

Download
memory/4044-240-0x00000000048A3000-0x00000000048A4000-memory.dmp

Filesize
4KB

Download
memory/4044-130-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4044-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads