njrat | 6ab420972ed80355eeb88e3f08d4e9124141012b6a25e4f2ed6c19235da10d21

General

Target

c9bc2ade28395d0077523ecde62bf6ab.exe
Size

670KB
MD5

c9bc2ade28395d0077523ecde62bf6ab
SHA1

aa815fa396dcc8549e5a1b39445b517c092acd72
SHA256

6ab420972ed80355eeb88e3f08d4e9124141012b6a25e4f2ed6c19235da10d21
SHA512

1aaca0dcc9974c14f2d724e3f507a86b4ccfe6b5932ceb9d0089774e32729f5ecb6e86f9742f803711f50aabf7e6f2d43c4ab2ce939abad2a553ac4699abac9e

Score

10^/10

njrat 24-ene evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

24-ene

C2

googlemaintenanceservice.duckdns.org:7856

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
ultimate

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c9bc2ade28395d0077523ecde62bf6ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c9bc2ade28395d0077523ecde62bf6ab.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c9bc2ade28395d0077523ecde62bf6ab.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c9bc2ade28395d0077523ecde62bf6ab.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description pid process target process

PID 1592 set thread context of 1960 1592 c9bc2ade28395d0077523ecde62bf6ab.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1448 schtasks.exe

description	pid	process	target process
PID 1592 set thread context of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe

pid	process
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exepowershell.exepowershell.exe

pid	process
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
428	powershell.exe
1588	powershell.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe
1592	c9bc2ade28395d0077523ecde62bf6ab.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1592	c9bc2ade28395d0077523ecde62bf6ab.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1960	RegSvcs.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description	pid	process	target process
PID 1592 wrote to memory of 428	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 428	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 428	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 428	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 1588	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 1588	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 1588	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 1588	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 1592 wrote to memory of 1448	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 1592 wrote to memory of 1448	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 1592 wrote to memory of 1448	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 1592 wrote to memory of 1448	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 1592 wrote to memory of 1960	1592	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\c9bc2ade28395d0077523ecde62bf6ab.exe
"C:\Users\Admin\AppData\Local\Temp\c9bc2ade28395d0077523ecde62bf6ab.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c9bc2ade28395d0077523ecde62bf6ab.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qnnHkykD.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qnnHkykD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp

MD5
d4fc4ee6798011555cead5b93ec6e8e1

SHA1
66e0bea33d6e399c61cb754cbb71f40ea8c959f0

SHA256
41ba7e862ba2b67b59146a15b8185d55057e48866a9d887c5e7fea07fb572ba9

SHA512
f9ecfbfbb209d895fd5d78fe52b83a47cb1ffdee1861b4ed6bba1da3bf5e74082accda50f90f6c8dfb888fc9bd83a5f975582463ce29b8c78f4e5aee379ac523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
211900c7cd0612f4742e5f9c4428f465

SHA1
cadfe29203d6018af1bd4571c259648874a93931

SHA256
a071d112aabec0c2fa8adf1ceef99d34b58bfec3fb0c3d13bbf0d90c67421ce5

SHA512
4e23f24b4f6e13ecce566dcb289c777242899ad7d9d0fdc5d773c10617a17866cbf7b4885378c9f703f0787877b53a0053d2b4f611d3bb49248cf5261c6eff9b

Download Submit
memory/428-65-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/428-61-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/428-63-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/1588-68-0x00000000021D2000-0x00000000021D4000-memory.dmp

Filesize
8KB

Download
memory/1588-67-0x00000000021D1000-0x00000000021D2000-memory.dmp

Filesize
4KB

Download
memory/1588-66-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1592-59-0x0000000004D80000-0x0000000004DC2000-memory.dmp

Filesize
264KB

Download
memory/1592-54-0x0000000000830000-0x00000000008DE000-memory.dmp

Filesize
696KB

Download
memory/1592-58-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1592-57-0x0000000002000000-0x000000000200E000-memory.dmp

Filesize
56KB

Download
memory/1592-56-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1592-55-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1960-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1960-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1960-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1960-72-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1960-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1960-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1960-77-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads