njrat | 6ab420972ed80355eeb88e3f08d4e9124141012b6a25e4f2ed6c19235da10d21

General

Target

c9bc2ade28395d0077523ecde62bf6ab.exe
Size

670KB
MD5

c9bc2ade28395d0077523ecde62bf6ab
SHA1

aa815fa396dcc8549e5a1b39445b517c092acd72
SHA256

6ab420972ed80355eeb88e3f08d4e9124141012b6a25e4f2ed6c19235da10d21
SHA512

1aaca0dcc9974c14f2d724e3f507a86b4ccfe6b5932ceb9d0089774e32729f5ecb6e86f9742f803711f50aabf7e6f2d43c4ab2ce939abad2a553ac4699abac9e

Score

10^/10

njrat 24-ene evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

24-ene

C2

googlemaintenanceservice.duckdns.org:7856

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
ultimate

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c9bc2ade28395d0077523ecde62bf6ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c9bc2ade28395d0077523ecde62bf6ab.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c9bc2ade28395d0077523ecde62bf6ab.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	c9bc2ade28395d0077523ecde62bf6ab.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description pid process target process

PID 2700 set thread context of 2124 2700 c9bc2ade28395d0077523ecde62bf6ab.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2320 schtasks.exe

description	pid	process	target process
PID 2700 set thread context of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe

pid	process
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exepowershell.exepowershell.exe

pid	process
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
1216	powershell.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
3428	powershell.exe
2700	c9bc2ade28395d0077523ecde62bf6ab.exe
1216	powershell.exe
3428	powershell.exe
1216	powershell.exe
3428	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2700	c9bc2ade28395d0077523ecde62bf6ab.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	2124	RegSvcs.exe
Token: 33	2124	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2124	RegSvcs.exe
Token: 33	2124	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2124	RegSvcs.exe
Token: 33	2124	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2124	RegSvcs.exe
Token: 33	2124	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2124	RegSvcs.exe
Token: 33	2124	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2124	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

c9bc2ade28395d0077523ecde62bf6ab.exe

description	pid	process	target process
PID 2700 wrote to memory of 1216	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 2700 wrote to memory of 1216	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 2700 wrote to memory of 1216	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 2700 wrote to memory of 3428	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 2700 wrote to memory of 3428	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 2700 wrote to memory of 3428	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	powershell.exe
PID 2700 wrote to memory of 2320	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 2700 wrote to memory of 2320	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 2700 wrote to memory of 2320	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	schtasks.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe
PID 2700 wrote to memory of 2124	2700	c9bc2ade28395d0077523ecde62bf6ab.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\c9bc2ade28395d0077523ecde62bf6ab.exe
"C:\Users\Admin\AppData\Local\Temp\c9bc2ade28395d0077523ecde62bf6ab.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c9bc2ade28395d0077523ecde62bf6ab.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qnnHkykD.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qnnHkykD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1ECA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bcef88cd6dacb65b3fb6fb42c341b135

SHA1
ad66d06afec397797c2ca525776fec3d5cd6c65e

SHA256
b848b76de7eb782b33ae1c4175ba15704bf5df6dd10ae84dc56f552fbfbaa05d

SHA512
ebfd7ed4fe93d44178f9fcaae9f47f9edff0d3ce6b643fa07232e17211f5c34c1efb184b7e6ce5754abe888225beda62d150f93486b8f5bee7b03905757a64a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1ECA.tmp

MD5
a20e9d4805cdf592c93f819bc9c707b3

SHA1
4a75ee33097eb41a0671e917245ea318265c018e

SHA256
31a3809e03820495b5e3e3260e5a9f775c0415ced85f4a0afbd6af2e5f559f6a

SHA512
0086e3007d6e5e9cab191027ec8b4cefd99a1ff482b83521fa9464bc37ff70dfdef726a2ccfa9a79104bfa9633a7e3adeaf8b2eb2dc007211c31305a66623401

Download Submit
memory/1216-162-0x00000000098B0000-0x00000000098CE000-memory.dmp

Filesize
120KB

Download
memory/1216-129-0x0000000004EF0000-0x0000000004F26000-memory.dmp

Filesize
216KB

Download
memory/1216-174-0x0000000009DE0000-0x0000000009E74000-memory.dmp

Filesize
592KB

Download
memory/1216-173-0x000000007E8C0000-0x000000007E8C1000-memory.dmp

Filesize
4KB

Download
memory/1216-171-0x0000000009A10000-0x0000000009AB5000-memory.dmp

Filesize
660KB

Download
memory/1216-141-0x0000000008600000-0x000000000861C000-memory.dmp

Filesize
112KB

Download
memory/1216-143-0x0000000008A80000-0x0000000008AF6000-memory.dmp

Filesize
472KB

Download
memory/1216-188-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/1216-128-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/1216-130-0x0000000007AA0000-0x00000000080C8000-memory.dmp

Filesize
6.2MB

Download
memory/1216-131-0x0000000007960000-0x0000000007982000-memory.dmp

Filesize
136KB

Download
memory/1216-134-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/1216-561-0x0000000009CF0000-0x0000000009D0A000-memory.dmp

Filesize
104KB

Download
memory/1216-136-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/2124-157-0x00000000058C0000-0x0000000005DBE000-memory.dmp

Filesize
5.0MB

Download
memory/2124-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2700-125-0x0000000001260000-0x00000000012C6000-memory.dmp

Filesize
408KB

Download
memory/2700-120-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/2700-117-0x0000000005790000-0x0000000005C8E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-118-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/2700-119-0x0000000005290000-0x000000000578E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-116-0x0000000000AA0000-0x0000000000B4E000-memory.dmp

Filesize
696KB

Download
memory/2700-121-0x0000000007890000-0x000000000792C000-memory.dmp

Filesize
624KB

Download
memory/2700-124-0x0000000007C10000-0x0000000007C52000-memory.dmp

Filesize
264KB

Download
memory/2700-123-0x000000007EC70000-0x000000007EC71000-memory.dmp

Filesize
4KB

Download
memory/2700-122-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/3428-172-0x000000007E830000-0x000000007E831000-memory.dmp

Filesize
4KB

Download
memory/3428-161-0x0000000009730000-0x0000000009763000-memory.dmp

Filesize
204KB

Download
memory/3428-186-0x0000000007023000-0x0000000007024000-memory.dmp

Filesize
4KB

Download
memory/3428-139-0x0000000008050000-0x00000000083A0000-memory.dmp

Filesize
3.3MB

Download
memory/3428-137-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3428-570-0x0000000009940000-0x0000000009948000-memory.dmp

Filesize
32KB

Download
memory/3428-142-0x00000000083A0000-0x00000000083EB000-memory.dmp

Filesize
300KB

Download
memory/3428-138-0x0000000007022000-0x0000000007023000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads