njrat | 9ba526eaa176389b20e270129a403934a9625fdee27f1ad36ed20289f178421c

General

Target

#461432638.exe
Size

979KB
MD5

29bf474d20e0b17a36577c6e903e8afb
SHA1

11cf027edff4d91c634b23972c612a9998b7173f
SHA256

9ba526eaa176389b20e270129a403934a9625fdee27f1ad36ed20289f178421c
SHA512

bab8419ec4c686e01f173ee23a21c4345c8e2f0cf1bd32d7302993b0cdc513b897563f7bb14b589b7920aedec4c027d74fa8924c72a11c83884ddc5b74484cb4

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

#461432638.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Exe	#461432638.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Exe	#461432638.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

#461432638.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#461432638.exe\" .."	#461432638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#461432638.exe\" .."	#461432638.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

#461432638.exe

description pid process target process

PID 2336 set thread context of 596 2336 #461432638.exe #461432638.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1164 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

#461432638.exe

pid process

2336 #461432638.exe

description	pid	process	target process
PID 2336 set thread context of 596	2336	#461432638.exe	#461432638.exe

pid	process
1164	schtasks.exe

pid	process
2336	#461432638.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

#461432638.exe#461432638.exe

description	pid	process
Token: SeDebugPrivilege	2336	#461432638.exe
Token: SeDebugPrivilege	596	#461432638.exe
Token: 33	596	#461432638.exe
Token: SeIncBasePriorityPrivilege	596	#461432638.exe
Token: 33	596	#461432638.exe
Token: SeIncBasePriorityPrivilege	596	#461432638.exe
Token: 33	596	#461432638.exe
Token: SeIncBasePriorityPrivilege	596	#461432638.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

#461432638.exe#461432638.exe

description	pid	process	target process
PID 2336 wrote to memory of 1164	2336	#461432638.exe	schtasks.exe
PID 2336 wrote to memory of 1164	2336	#461432638.exe	schtasks.exe
PID 2336 wrote to memory of 1164	2336	#461432638.exe	schtasks.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 2336 wrote to memory of 596	2336	#461432638.exe	#461432638.exe
PID 596 wrote to memory of 1176	596	#461432638.exe	netsh.exe
PID 596 wrote to memory of 1176	596	#461432638.exe	netsh.exe
PID 596 wrote to memory of 1176	596	#461432638.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\#461432638.exe
"C:\Users\Admin\AppData\Local\Temp\#461432638.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NjGbuw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D0C.tmp"
2⤵
- Creates scheduled task(s)
PID:1164

C:\Users\Admin\AppData\Local\Temp\#461432638.exe
"{path}"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\#461432638.exe" "#461432638.exe" ENABLE
3⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#461432638.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D0C.tmp

MD5
5e8ac5638777d70286cc5f95a91397dc

SHA1
40eeac66685cd6e8b4d59a95d7d6ccfa551a67b8

SHA256
1d488ae0d7666ef9d582115b0ff1caebb6769e81c90f506245232c6e5587aef8

SHA512
bf83e07126aa171bf02a4b8b78b4007f40f52395599825e32f517c35b254db2e196fe37ca1074aba2c6a16501d865053db425d97eb6e0321d6d24ef4a75aa335

Download Submit
memory/596-130-0x00000000064D0000-0x00000000064E8000-memory.dmp

Filesize
96KB

Download
memory/596-129-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/596-128-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/596-126-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-119-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/2336-122-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/2336-123-0x00000000075D0000-0x0000000007636000-memory.dmp

Filesize
408KB

Download
memory/2336-124-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2336-121-0x00000000054B0000-0x00000000059AE000-memory.dmp

Filesize
5.0MB

Download
memory/2336-120-0x0000000005670000-0x00000000056C6000-memory.dmp

Filesize
344KB

Download
memory/2336-115-0x0000000000A70000-0x0000000000B6A000-memory.dmp

Filesize
1000KB

Download
memory/2336-118-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/2336-117-0x00000000059B0000-0x0000000005EAE000-memory.dmp

Filesize
5.0MB

Download
memory/2336-116-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads