njrat | a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5

Analysis

max time kernel
159s
max time network
132s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
Size

134KB
MD5

d2d8cd908010759c378de5d945090ac6
SHA1

1c36a8a904b3c1570f8616b0b55d849175e313f1
SHA256

a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5
SHA512

cf8ed7585b70a2619b4af5487869bb497df8e020afbed09340d60f51c76dd90105a6c608f1adca2093f5fa0111bbea13d740254e1a026d90564bc7c7ed5da48e

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

basbas.no-ip.biz:5552

Mutex

7f3b28763aa416cc47f3cf93980140c8

Attributes

reg_key
7f3b28763aa416cc47f3cf93980140c8
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

SkypeIcon.exesvshost.exeserver.exe

pid process

332 SkypeIcon.exe
884 svshost.exe
1948 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
332	SkypeIcon.exe
884	svshost.exe
1948	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7f3b28763aa416cc47f3cf93980140c8.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7f3b28763aa416cc47f3cf93980140c8.exe	server.exe

Loads dropped DLL 3 IoCs

Processes:

a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe

pid	process
1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\7f3b28763aa416cc47f3cf93980140c8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7f3b28763aa416cc47f3cf93980140c8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe
Token: 33	1948	server.exe
Token: SeIncBasePriorityPrivilege	1948	server.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exesvshost.exeserver.exe

description	pid	process	target process
PID 1592 wrote to memory of 332	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	SkypeIcon.exe
PID 1592 wrote to memory of 332	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	SkypeIcon.exe
PID 1592 wrote to memory of 332	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	SkypeIcon.exe
PID 1592 wrote to memory of 332	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	SkypeIcon.exe
PID 1592 wrote to memory of 884	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	svshost.exe
PID 1592 wrote to memory of 884	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	svshost.exe
PID 1592 wrote to memory of 884	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	svshost.exe
PID 1592 wrote to memory of 884	1592	a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe	svshost.exe
PID 884 wrote to memory of 1948	884	svshost.exe	server.exe
PID 884 wrote to memory of 1948	884	svshost.exe	server.exe
PID 884 wrote to memory of 1948	884	svshost.exe	server.exe
PID 1948 wrote to memory of 856	1948	server.exe	netsh.exe
PID 1948 wrote to memory of 856	1948	server.exe	netsh.exe
PID 1948 wrote to memory of 856	1948	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe
"C:\Users\Admin\AppData\Local\Temp\a422e2aaa598e34bd1969b60850785fda811c121f670addc5d1384936aa452f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe
"C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe"
2⤵
- Executes dropped EXE
PID:332

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe
MD5
00b0ace97eaa8a8f1cc1867e49b1fe74

SHA1
de074ce41fa91dffca582fd80ac402f874c533fc

SHA256
ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53

SHA512
6e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkypeIcon.exe
MD5
00b0ace97eaa8a8f1cc1867e49b1fe74

SHA1
de074ce41fa91dffca582fd80ac402f874c533fc

SHA256
ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53

SHA512
6e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
acc84e35e4fcffa454639189fc4ae89d

SHA1
9b366eec0ee57722eb163c3375a726c12d3a2d80

SHA256
45b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087

SHA512
3959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
acc84e35e4fcffa454639189fc4ae89d

SHA1
9b366eec0ee57722eb163c3375a726c12d3a2d80

SHA256
45b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087

SHA512
3959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
MD5
acc84e35e4fcffa454639189fc4ae89d

SHA1
9b366eec0ee57722eb163c3375a726c12d3a2d80

SHA256
45b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087

SHA512
3959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
MD5
acc84e35e4fcffa454639189fc4ae89d

SHA1
9b366eec0ee57722eb163c3375a726c12d3a2d80

SHA256
45b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087

SHA512
3959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6

Download Submit
\Users\Admin\AppData\Local\Temp\SkypeIcon.exe
MD5
00b0ace97eaa8a8f1cc1867e49b1fe74

SHA1
de074ce41fa91dffca582fd80ac402f874c533fc

SHA256
ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53

SHA512
6e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4

Download Submit
\Users\Admin\AppData\Local\Temp\SkypeIcon.exe
MD5
00b0ace97eaa8a8f1cc1867e49b1fe74

SHA1
de074ce41fa91dffca582fd80ac402f874c533fc

SHA256
ef2f4949ad2dc34facf4aa602ffa7cacb0c381f687fc8276400442ccaa51ab53

SHA512
6e2b2e414ef46cad52bc90264135fd3b502b6a2aefef7bfbcf3af85f3918136924814952603c15d53ca0be40ed6bb4e7a5584fafdbbf59bb1ecd2730d1ad28c4

Download Submit
\Users\Admin\AppData\Local\Temp\svshost.exe
MD5
acc84e35e4fcffa454639189fc4ae89d

SHA1
9b366eec0ee57722eb163c3375a726c12d3a2d80

SHA256
45b2f651641b068ac61e44423c3f0d62b36f12c939d3cc513bce3536f766a087

SHA512
3959ef037e14a8a94de4a8602b0c3a967bef73b2a71f79a771bb61b39d67c501f44fb6baf986fa1b30da7859fb4885a8b0c95f8876d69334a79a47d24a35f2c6

Download Submit
memory/884-64-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/884-65-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/884-66-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/1592-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1948-69-0x0000000001180000-0x000000000118E000-memory.dmp

Filesize
56KB

Download
memory/1948-71-0x0000000002590000-0x000000001AA00000-memory.dmp

Filesize
388.4MB

Download