njrat | c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e

General

Target

c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe
Size

546KB
MD5

d297e0db6d63a952b08b6f0e3fe101e7
SHA1

52da80a4605dd658284a4a510861ed875bfb3dd4
SHA256

c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e
SHA512

66224735ce06bb86a5d28e4c7d2afe0f06865a0e669ddfdbbac5bcf34e27c5955bede4562517b67cd63320b625b37928c6e5b8267c6dafd7bd37ce583fffc451

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

cscript.exe

pid process

1304 cscript.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1304	cscript.exe

Drops startup file 1 IoCs

Processes:

c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mupdate.lnk	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.execscript.exe

pid process

2052 regsvr32.exe
1304 cscript.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cscript.exe

description pid process target process

PID 1304 set thread context of 1048 1304 cscript.exe Svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2052	regsvr32.exe
1304	cscript.exe

description	pid	process	target process
PID 1304 set thread context of 1048	1304	cscript.exe	Svchost.exe

Modifies registry class 8 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\injector.vbs.BIN"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Svchost.exe

description	pid	process
Token: SeDebugPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe
Token: 33	1048	Svchost.exe
Token: SeIncBasePriorityPrivilege	1048	Svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe

pid	process
3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe
3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe

pid	process
3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe
3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.execscript.exeSvchost.exe

description	pid	process	target process
PID 3220 wrote to memory of 1304	3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe	cscript.exe
PID 3220 wrote to memory of 1304	3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe	cscript.exe
PID 3220 wrote to memory of 1304	3220	c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe	cscript.exe
PID 1304 wrote to memory of 3392	1304	cscript.exe	WSCRIPT.EXE
PID 1304 wrote to memory of 3392	1304	cscript.exe	WSCRIPT.EXE
PID 1304 wrote to memory of 3392	1304	cscript.exe	WSCRIPT.EXE
PID 1304 wrote to memory of 2052	1304	cscript.exe	regsvr32.exe
PID 1304 wrote to memory of 2052	1304	cscript.exe	regsvr32.exe
PID 1304 wrote to memory of 2052	1304	cscript.exe	regsvr32.exe
PID 1304 wrote to memory of 1048	1304	cscript.exe	Svchost.exe
PID 1304 wrote to memory of 1048	1304	cscript.exe	Svchost.exe
PID 1304 wrote to memory of 1048	1304	cscript.exe	Svchost.exe
PID 1304 wrote to memory of 1048	1304	cscript.exe	Svchost.exe
PID 1304 wrote to memory of 1048	1304	cscript.exe	Svchost.exe
PID 1048 wrote to memory of 2924	1048	Svchost.exe	netsh.exe
PID 1048 wrote to memory of 2924	1048	Svchost.exe	netsh.exe
PID 1048 wrote to memory of 2924	1048	Svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe
"C:\Users\Admin\AppData\Local\Temp\c3009a51b416c6a22a6c044cbf0b7a9a9b863a7632da9a4e01efc08aec2bd37e.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Roaming\cscript.exe
  C:\Users\Admin\AppData\Roaming\cscript.exe C:\Users\Admin\AppData\Roaming\Aviras.jse
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SYSWOW64\WSCRIPT.EXE
    "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Roaming\Aviras.jse"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\injector.vbs.BIN"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2052
- - C:\Windows\SysWOW64\Svchost.exe
    "C:\Windows\system32\Svchost.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\SysWOW64\Svchost.exe" "Svchost.exe" ENABLE
      4⤵
      PID:2924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\injector.vbs.BIN

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Roaming\Aviras.jse

MD5
4bfad154ee2e42e2e4a6ee2801dfd10d

SHA1
be58f5ef3dee2389431ceae13ef89f8555b6d5a8

SHA256
844c84c4f3cafa2d66e6eb2ddff9a3d9caebab9c373498ff9cbd5313d1fd99a5

SHA512
7136c7d16f58ed570d3a8b99f4a676b6a778966b22a52dc3193bcb95d7008b82454a82985d9a0767736673784d59bb5c4232d1ff894cda1260aa317359db79c8

Download Submit
C:\Users\Admin\AppData\Roaming\cscript.exe

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Roaming\cscript.exe

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
\Users\Admin\AppData\Local\Temp\injector.vbs.BIN

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
\Users\Admin\AppData\Local\Temp\injector.vbs.BIN

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
memory/1048-124-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1048-144-0x0000000003400000-0x000000000340F000-memory.dmp

Filesize
60KB

Download
memory/1048-146-0x0000000003400000-0x000000000340F000-memory.dmp

Filesize
60KB

Download
memory/1048-148-0x0000000003400000-0x000000000340F000-memory.dmp

Filesize
60KB

Download
memory/1048-150-0x0000000003400000-0x000000000340F000-memory.dmp

Filesize
60KB

Download
memory/1048-152-0x0000000003400000-0x000000000340F000-memory.dmp

Filesize
60KB

Download
memory/1048-154-0x0000000003400000-0x000000000340F000-memory.dmp

Filesize
60KB

Download
memory/1048-177-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads