njrat | 6ab420972ed80355eeb88e3f08d4e9124141012b6a25e4f2ed6c19235da10d21

General

Target

Ley N° (0080876540).exe
Size

670KB
MD5

c9bc2ade28395d0077523ecde62bf6ab
SHA1

aa815fa396dcc8549e5a1b39445b517c092acd72
SHA256

6ab420972ed80355eeb88e3f08d4e9124141012b6a25e4f2ed6c19235da10d21
SHA512

1aaca0dcc9974c14f2d724e3f507a86b4ccfe6b5932ceb9d0089774e32729f5ecb6e86f9742f803711f50aabf7e6f2d43c4ab2ce939abad2a553ac4699abac9e

Score

10^/10

njrat 24-ene evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

24-ene

C2

googlemaintenanceservice.duckdns.org:7856

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
ultimate

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ley N° (0080876540).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ley N° (0080876540).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ley N° (0080876540).exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ley N° (0080876540).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Ley N° (0080876540).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Ley N° (0080876540).exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Ley N° (0080876540).exe

description pid process target process

PID 1724 set thread context of 1128 1724 Ley N° (0080876540).exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

description	pid	process	target process
PID 1724 set thread context of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe

pid	process
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Ley N° (0080876540).exepowershell.exepowershell.exe

pid	process
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1212	powershell.exe
1724	Ley N° (0080876540).exe
1620	powershell.exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe
1724	Ley N° (0080876540).exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

Ley N° (0080876540).exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1724	Ley N° (0080876540).exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe
Token: 33	1128	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1128	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Ley N° (0080876540).exe

description	pid	process	target process
PID 1724 wrote to memory of 1212	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1212	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1212	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1212	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1620	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1620	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1620	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1620	1724	Ley N° (0080876540).exe	powershell.exe
PID 1724 wrote to memory of 1652	1724	Ley N° (0080876540).exe	schtasks.exe
PID 1724 wrote to memory of 1652	1724	Ley N° (0080876540).exe	schtasks.exe
PID 1724 wrote to memory of 1652	1724	Ley N° (0080876540).exe	schtasks.exe
PID 1724 wrote to memory of 1652	1724	Ley N° (0080876540).exe	schtasks.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 832	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe
PID 1724 wrote to memory of 1128	1724	Ley N° (0080876540).exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Ley N° (0080876540).exe
"C:\Users\Admin\AppData\Local\Temp\Ley N° (0080876540).exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ley N° (0080876540).exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qnnHkykD.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qnnHkykD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A81.tmp"
2⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A81.tmp
MD5
d4fc4ee6798011555cead5b93ec6e8e1

SHA1
66e0bea33d6e399c61cb754cbb71f40ea8c959f0

SHA256
41ba7e862ba2b67b59146a15b8185d55057e48866a9d887c5e7fea07fb572ba9

SHA512
f9ecfbfbb209d895fd5d78fe52b83a47cb1ffdee1861b4ed6bba1da3bf5e74082accda50f90f6c8dfb888fc9bd83a5f975582463ce29b8c78f4e5aee379ac523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
ca053097fc41448ce16225d8c912ebcd

SHA1
48ba79dcf1bab24a46c9651d78e2f4fb0c13782a

SHA256
e217059548f68b54b68930f1166bcb8ef9443a5ae708b175da159a4da54bda46

SHA512
338a8beaee534fd9f9b6666901da11a344158bd27632475222fe6e30fc59b5276e02c80ff0b7bea47c6ea4c36931617737b078056c86f827ad95817d35e86d91

Download Submit
memory/1128-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1128-80-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1128-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1128-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1128-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1128-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1128-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1212-63-0x0000000002320000-0x00000000025B0000-memory.dmp

Filesize
2.6MB

Download
memory/1212-64-0x0000000002320000-0x00000000025B0000-memory.dmp

Filesize
2.6MB

Download
memory/1620-70-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1620-72-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1620-71-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1724-54-0x0000000001020000-0x00000000010CE000-memory.dmp

Filesize
696KB

Download
memory/1724-59-0x0000000000CC0000-0x0000000000D02000-memory.dmp

Filesize
264KB

Download
memory/1724-58-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/1724-57-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1724-56-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1724-55-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads