njrat | 0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487

General

Target

0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe
Size

274KB
MD5

94c2a55970ad8b796e7610a8a8999a60
SHA1

9cfdb16851a0c9a5e698ac34cdc59d50dc8e8cf9
SHA256

0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487
SHA512

5bdcaa4d746f0b004392aee2b2d7103571d140ae23ee4ee3aa25f7ec6e50175610321fe2db5cc263ab9ae3bb8386b9f8a755ac119b519095836046ece64456f3

Score

10^/10

njrat notificación persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

NOTIFICACIÓN

C2

rewt6.duckdns.org:1990

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1990

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe

description	pid	process	target process
PID 1448 set thread context of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

392 schtasks.exe
1780 schtasks.exe

pid	process
392	schtasks.exe
1780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe

pid	process
1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe
1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe
1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe
Token: SeDebugPrivilege	1112	RegSvcs.exe
Token: 33	1112	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1112	RegSvcs.exe
Token: 33	1112	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1112	RegSvcs.exe
Token: 33	1112	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1112	RegSvcs.exe
Token: 33	1112	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1112	RegSvcs.exe
Token: 33	1112	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1112	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exeRegSvcs.exetaskeng.exe

description	pid	process	target process
PID 1448 wrote to memory of 392	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	schtasks.exe
PID 1448 wrote to memory of 392	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	schtasks.exe
PID 1448 wrote to memory of 392	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	schtasks.exe
PID 1448 wrote to memory of 392	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	schtasks.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1448 wrote to memory of 1112	1448	0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe	RegSvcs.exe
PID 1112 wrote to memory of 1176	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1176	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1176	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1176	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1780	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1780	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1780	1112	RegSvcs.exe	schtasks.exe
PID 1112 wrote to memory of 1780	1112	RegSvcs.exe	schtasks.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe
PID 980 wrote to memory of 296	980	taskeng.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe
"C:\Users\Admin\AppData\Local\Temp\0cddbc246dd35d0e7707910f12c968b7cebeb102afb61292aff19021d21fb487.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BowPmeNnBRwNr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6393.tmp"
2⤵
- Creates scheduled task(s)
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\taskeng.exe
taskeng.exe {05A7291F-29BB-4C4C-8E5C-877353DD770B} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6393.tmp
MD5
feaee90c4135f7532ce20a6b8622997c

SHA1
a7f6bf353d69d36ac1dcd2fe03286d6af23753b9

SHA256
bb9273b4f46cb49e839a3893e049485fefadf010dcb789bb77eecd0ecce7240e

SHA512
bc76314d4f6a2a4985633faf85453b3390b16c2d3e84a1522d9d9af03d9f7021534830b4ecb6172f0958d939ddef62242801bf27a374f024a46af4432423010b

Download Submit
memory/296-69-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/296-68-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/1112-67-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1112-71-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1448-59-0x0000000002090000-0x00000000020CC000-memory.dmp

Filesize
240KB

Download
memory/1448-60-0x0000000001EA0000-0x0000000001EBA000-memory.dmp

Filesize
104KB

Download
memory/1448-58-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1448-55-0x0000000000210000-0x000000000025A000-memory.dmp

Filesize
296KB

Download
memory/1448-57-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1448-56-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads