njrat | dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3

General

Target

dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
Size

454KB
MD5

724c9322da3b1c5f7994a466fbb6dc09
SHA1

d993e3da6da34581ba6d3ca18d33356767cbecf7
SHA256

dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3
SHA512

7d2ae83d9ad9ae790ee9c7b2fb1b35456b27c0e79e0fb313ad58aa342a2bd058b6b7337aa354b4b7462081ef73cbddc982a1be503aff135e4f3a1b6c9f808a7f

Score

10^/10

njrat estación terpel persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

ESTACIÓN TERPEL

C2

estacion373.duckdns.org:1990

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1990

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe

description	pid	process	target process
PID 2700 set thread context of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3544 schtasks.exe
2408 schtasks.exe

pid	process
3544	schtasks.exe
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe

pid	process
2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
Token: SeDebugPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe
Token: 33	2920	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2920	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exeRegSvcs.exe

description	pid	process	target process
PID 2700 wrote to memory of 3544	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	schtasks.exe
PID 2700 wrote to memory of 3544	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	schtasks.exe
PID 2700 wrote to memory of 3544	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	schtasks.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2700 wrote to memory of 2920	2700	dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe	RegSvcs.exe
PID 2920 wrote to memory of 4016	2920	RegSvcs.exe	schtasks.exe
PID 2920 wrote to memory of 4016	2920	RegSvcs.exe	schtasks.exe
PID 2920 wrote to memory of 4016	2920	RegSvcs.exe	schtasks.exe
PID 2920 wrote to memory of 2408	2920	RegSvcs.exe	schtasks.exe
PID 2920 wrote to memory of 2408	2920	RegSvcs.exe	schtasks.exe
PID 2920 wrote to memory of 2408	2920	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
"C:\Users\Admin\AppData\Local\Temp\dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fkHhuFSCKBkxD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EF7.tmp"
2⤵
- Creates scheduled task(s)
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:4016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
1⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
1⤵
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EF7.tmp
MD5
160dd3ef22eea865284370aa9f731e0c

SHA1
fe8c03642c629184e641043f4a006ffeea0ead86

SHA256
ef19833bc8f1564e53a9276ff3b8da72f66d4a718e8c261b2e89ee91a74cf1ed

SHA512
6ca3350b5200230e9b33b50566285c56b48a9c782d7e9f7ad9832baff3208c92a65264da83d698d3ba28ff3f3a3f0eb2bc0e5a13cdfa2a6ad7d48475bf857fd9

Download Submit
memory/1244-130-0x0000000005450000-0x0000000005470000-memory.dmp

Filesize
128KB

Download
memory/1244-129-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/1244-128-0x0000000000D10000-0x0000000000D1E000-memory.dmp

Filesize
56KB

Download
memory/2700-123-0x00000000068F0000-0x0000000006922000-memory.dmp

Filesize
200KB

Download
memory/2700-121-0x000000000B2A0000-0x000000000B5F0000-memory.dmp

Filesize
3.3MB

Download
memory/2700-122-0x000000000B820000-0x000000000B876000-memory.dmp

Filesize
344KB

Download
memory/2700-115-0x0000000000F90000-0x0000000001008000-memory.dmp

Filesize
480KB

Download
memory/2700-124-0x000000000F180000-0x000000000F21C000-memory.dmp

Filesize
624KB

Download
memory/2700-120-0x0000000003240000-0x000000000324C000-memory.dmp

Filesize
48KB

Download
memory/2700-119-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

Filesize
40KB

Download
memory/2700-118-0x0000000007C70000-0x000000000816E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-117-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/2700-116-0x0000000008170000-0x000000000866E000-memory.dmp

Filesize
5.0MB

Download
memory/2920-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2920-127-0x0000000004F80000-0x000000000547E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads