njrat | b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332

General

Target

b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe
Size

78KB
MD5

26c37b7faa7e4be88b62a530a05766b6
SHA1

b93496235b92c66e0ef16d634ca21b9e276471d9
SHA256

b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332
SHA512

98587b1c1f61a0085092560411df3288f8bd594832c9314e38de7d3c9eb8479e94c18c51670566f827973bd6f93454e6ea057eeb3a1fb8c1259b32e62f38f65e

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

system

C2

turk3i.ddns.net:1008

Mutex

system.exe

Attributes

reg_key
system.exe
splitter
123

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

system.exesystem.exesystem.exe

pid process

1740 system.exe
1480 system.exe
1768 system.exe

pid	process
1740	system.exe
1480	system.exe
1768	system.exe

Drops startup file 2 IoCs

Processes:

system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	system.exe

Loads dropped DLL 1 IoCs

Processes:

b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe

pid process

1580 b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe

pid	process
1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\system.exe = "\"C:\\Users\\Admin\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system.exe = "\"C:\\Users\\Admin\\system.exe\" .."	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1960 schtasks.exe
976 schtasks.exe
520 schtasks.exe
360 schtasks.exe

pid	process
1960	schtasks.exe
976	schtasks.exe
520	schtasks.exe
360	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

system.exe

description	pid	process
Token: SeDebugPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe
Token: 33	1740	system.exe
Token: SeIncBasePriorityPrivilege	1740	system.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exesystem.exetaskeng.exesystem.exesystem.exe

description	pid	process	target process
PID 1580 wrote to memory of 1052	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 520	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 520	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 520	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 520	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	schtasks.exe
PID 1580 wrote to memory of 1740	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	system.exe
PID 1580 wrote to memory of 1740	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	system.exe
PID 1580 wrote to memory of 1740	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	system.exe
PID 1580 wrote to memory of 1740	1580	b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe	system.exe
PID 1740 wrote to memory of 1816	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 1816	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 1816	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 1816	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 360	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 360	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 360	1740	system.exe	schtasks.exe
PID 1740 wrote to memory of 360	1740	system.exe	schtasks.exe
PID 620 wrote to memory of 1480	620	taskeng.exe	system.exe
PID 620 wrote to memory of 1480	620	taskeng.exe	system.exe
PID 620 wrote to memory of 1480	620	taskeng.exe	system.exe
PID 620 wrote to memory of 1480	620	taskeng.exe	system.exe
PID 1480 wrote to memory of 1360	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1360	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1360	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1360	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1960	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1960	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1960	1480	system.exe	schtasks.exe
PID 1480 wrote to memory of 1960	1480	system.exe	schtasks.exe
PID 620 wrote to memory of 1768	620	taskeng.exe	system.exe
PID 620 wrote to memory of 1768	620	taskeng.exe	system.exe
PID 620 wrote to memory of 1768	620	taskeng.exe	system.exe
PID 620 wrote to memory of 1768	620	taskeng.exe	system.exe
PID 1768 wrote to memory of 1712	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 1712	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 1712	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 1712	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 976	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 976	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 976	1768	system.exe	schtasks.exe
PID 1768 wrote to memory of 976	1768	system.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe
"C:\Users\Admin\AppData\Local\Temp\b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:520

C:\Users\Admin\system.exe
"C:\Users\Admin\system.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\system.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:360

C:\Windows\system32\taskeng.exe
taskeng.exe {179B25CB-D4EC-4AB2-B4B6-98B5A0FADFAE} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\system.exe
C:\Users\Admin\system.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\system.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1960

C:\Users\Admin\system.exe
C:\Users\Admin\system.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\system.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\system.exe
MD5
26c37b7faa7e4be88b62a530a05766b6

SHA1
b93496235b92c66e0ef16d634ca21b9e276471d9

SHA256
b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332

SHA512
98587b1c1f61a0085092560411df3288f8bd594832c9314e38de7d3c9eb8479e94c18c51670566f827973bd6f93454e6ea057eeb3a1fb8c1259b32e62f38f65e

Download Submit
C:\Users\Admin\system.exe
MD5
26c37b7faa7e4be88b62a530a05766b6

SHA1
b93496235b92c66e0ef16d634ca21b9e276471d9

SHA256
b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332

SHA512
98587b1c1f61a0085092560411df3288f8bd594832c9314e38de7d3c9eb8479e94c18c51670566f827973bd6f93454e6ea057eeb3a1fb8c1259b32e62f38f65e

Download Submit
C:\Users\Admin\system.exe
MD5
26c37b7faa7e4be88b62a530a05766b6

SHA1
b93496235b92c66e0ef16d634ca21b9e276471d9

SHA256
b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332

SHA512
98587b1c1f61a0085092560411df3288f8bd594832c9314e38de7d3c9eb8479e94c18c51670566f827973bd6f93454e6ea057eeb3a1fb8c1259b32e62f38f65e

Download Submit
C:\Users\Admin\system.exe
MD5
26c37b7faa7e4be88b62a530a05766b6

SHA1
b93496235b92c66e0ef16d634ca21b9e276471d9

SHA256
b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332

SHA512
98587b1c1f61a0085092560411df3288f8bd594832c9314e38de7d3c9eb8479e94c18c51670566f827973bd6f93454e6ea057eeb3a1fb8c1259b32e62f38f65e

Download Submit
\Users\Admin\system.exe
MD5
26c37b7faa7e4be88b62a530a05766b6

SHA1
b93496235b92c66e0ef16d634ca21b9e276471d9

SHA256
b1b661fec381628844d2e6ab3f5bf7d8d545b689500f083b3261095c55e37332

SHA512
98587b1c1f61a0085092560411df3288f8bd594832c9314e38de7d3c9eb8479e94c18c51670566f827973bd6f93454e6ea057eeb3a1fb8c1259b32e62f38f65e

Download Submit
memory/1480-63-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1580-55-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1740-60-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1768-66-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads