njrat | f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb

Analysis

max time kernel
159s
max time network
136s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe
Size

170KB
MD5

32bcb3e725089e57c3a507f87b2a8dc1
SHA1

a8116e41e7b551c4b8b619fee5a79ed39a8d2e8f
SHA256

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb
SHA512

63f5079940b7205bebbc84914e8342d9018b830e27622cc3a70e1275acbb23c3c2fc81856955f932cbce812adc23ed38d665f57bb0287cbc47bca6e55e6a42da

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

trade hacker muaway.exesvshost.exe.exesvchost.exe

pid process

436 trade hacker muaway.exe
1492 svshost.exe
752 .exe
648 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
436	trade hacker muaway.exe
1492	svshost.exe
752	.exe
648	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a474c6d2b75d64b3ed1078b377b83c48.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a474c6d2b75d64b3ed1078b377b83c48.exe	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe.exe

pid	process
1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe
1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe
752	.exe
752	.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\a474c6d2b75d64b3ed1078b377b83c48 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a474c6d2b75d64b3ed1078b377b83c48 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

.exesvchost.exe

description	ioc	process
File created	C:\Windows\svchost.exe	.exe
File opened for modification	C:\Windows\svchost.exe	.exe
File created	C:\Windows\svchost.exe.tmp	svchost.exe
File opened for modification	C:\Windows\svchost.exe.tmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

svchost.exe

pid	process
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 648 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe

pid process

1276 f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe

description	pid	process
Token: SeDebugPrivilege	648	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exesvshost.exe.exesvchost.exe

description	pid	process	target process
PID 1276 wrote to memory of 436	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	trade hacker muaway.exe
PID 1276 wrote to memory of 436	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	trade hacker muaway.exe
PID 1276 wrote to memory of 436	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	trade hacker muaway.exe
PID 1276 wrote to memory of 436	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	trade hacker muaway.exe
PID 1276 wrote to memory of 1492	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	svshost.exe
PID 1276 wrote to memory of 1492	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	svshost.exe
PID 1276 wrote to memory of 1492	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	svshost.exe
PID 1276 wrote to memory of 1492	1276	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	svshost.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 1492 wrote to memory of 752	1492	svshost.exe	.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 752 wrote to memory of 648	752	.exe	svchost.exe
PID 648 wrote to memory of 1312	648	svchost.exe	netsh.exe
PID 648 wrote to memory of 1312	648	svchost.exe	netsh.exe
PID 648 wrote to memory of 1312	648	svchost.exe	netsh.exe
PID 648 wrote to memory of 1312	648	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe
"C:\Users\Admin\AppData\Local\Temp\f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe
  "C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
        5⤵
        
        PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

MD5
13942858263b74d0ee0ed9cc2342d420

SHA1
612b6afe600d0869105a601ca7c884538ace7798

SHA256
deb55200c5b7902be8d40457f3e16ad7ee66b3e331878d88c1ed20537b52e481

SHA512
3da7d861d634037b74856a1aad91f40c4bf4dd60945c72556d3be44d41086c47e0f7e3fd441c579faee3e44353dc8b3c96ba557838bcf76a71e6ea1f7870db22

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

MD5
13942858263b74d0ee0ed9cc2342d420

SHA1
612b6afe600d0869105a601ca7c884538ace7798

SHA256
deb55200c5b7902be8d40457f3e16ad7ee66b3e331878d88c1ed20537b52e481

SHA512
3da7d861d634037b74856a1aad91f40c4bf4dd60945c72556d3be44d41086c47e0f7e3fd441c579faee3e44353dc8b3c96ba557838bcf76a71e6ea1f7870db22

Download Submit
C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe

MD5
b101315b3665c9bec849f17e0a56f1f0

SHA1
cded1dca5855fc0e86caf0e94f143f7a659c2f19

SHA256
1371ef9e20b0d71fbb7c1e11994d5324a9f522cd0b22cc780149c05248365be3

SHA512
c6643405b4ea14f01100be9dd57e6ab6f1d6c73fed0fc6f1e82f021c8afb05cab81cb42ec6267f00955e5744614e4094c8c529c9df8497eadc43a1fbb17c3680

Download Submit
C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe

MD5
b101315b3665c9bec849f17e0a56f1f0

SHA1
cded1dca5855fc0e86caf0e94f143f7a659c2f19

SHA256
1371ef9e20b0d71fbb7c1e11994d5324a9f522cd0b22cc780149c05248365be3

SHA512
c6643405b4ea14f01100be9dd57e6ab6f1d6c73fed0fc6f1e82f021c8afb05cab81cb42ec6267f00955e5744614e4094c8c529c9df8497eadc43a1fbb17c3680

Download Submit
C:\Windows\svchost.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
C:\Windows\svchost.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
\Users\Admin\AppData\Local\Temp\.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
\Users\Admin\AppData\Local\Temp\.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
\Users\Admin\AppData\Local\Temp\svshost.exe

MD5
13942858263b74d0ee0ed9cc2342d420

SHA1
612b6afe600d0869105a601ca7c884538ace7798

SHA256
deb55200c5b7902be8d40457f3e16ad7ee66b3e331878d88c1ed20537b52e481

SHA512
3da7d861d634037b74856a1aad91f40c4bf4dd60945c72556d3be44d41086c47e0f7e3fd441c579faee3e44353dc8b3c96ba557838bcf76a71e6ea1f7870db22

Download Submit
\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe

MD5
b101315b3665c9bec849f17e0a56f1f0

SHA1
cded1dca5855fc0e86caf0e94f143f7a659c2f19

SHA256
1371ef9e20b0d71fbb7c1e11994d5324a9f522cd0b22cc780149c05248365be3

SHA512
c6643405b4ea14f01100be9dd57e6ab6f1d6c73fed0fc6f1e82f021c8afb05cab81cb42ec6267f00955e5744614e4094c8c529c9df8497eadc43a1fbb17c3680

Download Submit
memory/436-73-0x0000000000B76000-0x0000000000B95000-memory.dmp

Filesize
124KB

Download
memory/436-64-0x000007FEF15B0000-0x000007FEF2646000-memory.dmp

Filesize
16.6MB

Download
memory/436-66-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/648-78-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/752-74-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1276-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1492-65-0x000007FEF15B0000-0x000007FEF2646000-memory.dmp

Filesize
16.6MB

Download
memory/1492-67-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download