njrat | d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8

Analysis

max time kernel
138s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
Size

406KB
MD5

27618e24c576d88396237132b13e0b7a
SHA1

5c7055878d8dd12a8bff678194f054ba74328a28
SHA256

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8
SHA512

37250461692acc1cd34a0f406d8eb1b3043c06afdb91b598cecf19dbdac95f909c9cb36246a730fdfd215aabcb8af21529e96431e70a2cb3a5c2487945010055

Score

10^/10

njrat hack trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hack

medalwaely.no-ip.biz:1177

Mutex

09b4965ef3d07401b926a3a4b3383a3f

Attributes

reg_key
09b4965ef3d07401b926a3a4b3383a3f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

asasasasas.Exeasasasasas.Exemed.exe

pid process

752 asasasasas.Exe
1472 asasasasas.Exe
1248 med.exe

pid	process
752	asasasasas.Exe
1472	asasasasas.Exe
1248	med.exe

Loads dropped DLL 8 IoCs

Processes:

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exeasasasasas.Exeasasasasas.Exemed.exe

pid	process
1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
752	asasasasas.Exe
1472	asasasasas.Exe
1472	asasasasas.Exe
1248	med.exe

Drops file in System32 directory 5 IoCs

Processes:

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_191366	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
File created	C:\Windows\SysWOW64\asasasasas.Exe	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
File opened for modification	C:\Windows\SysWOW64\asasasasas.Exe	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
File created	C:\Windows\SysWOW64\1-natalie-portman-oscars-2011-254x169.jpg	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
File opened for modification	C:\Windows\SysWOW64\1-natalie-portman-oscars-2011-254x169.jpg	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

asasasasas.Exe

description pid process target process

PID 752 set thread context of 1472 752 asasasasas.Exe asasasasas.Exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 752 set thread context of 1472	752	asasasasas.Exe	asasasasas.Exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

asasasasas.Exemed.exe

description	pid	process
Token: SeDebugPrivilege	752	asasasasas.Exe
Token: 33	752	asasasasas.Exe
Token: SeIncBasePriorityPrivilege	752	asasasasas.Exe
Token: SeDebugPrivilege	1248	med.exe
Token: 33	1248	med.exe
Token: SeIncBasePriorityPrivilege	1248	med.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exeasasasasas.Exeasasasasas.Exemed.exe

description	pid	process	target process
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 1572 wrote to memory of 752	1572	d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 752 wrote to memory of 1472	752	asasasasas.Exe	asasasasas.Exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1472 wrote to memory of 1248	1472	asasasasas.Exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe
PID 1248 wrote to memory of 636	1248	med.exe	med.exe

C:\Users\Admin\AppData\Local\Temp\d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
"C:\Users\Admin\AppData\Local\Temp\d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\asasasasas.Exe
"C:\Windows\System32\asasasasas.Exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\asasasasas.Exe
C:\Windows\SysWOW64\asasasasas.Exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\med.exe
"C:\Users\Admin\AppData\Local\Temp\med.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\med.exe
C:\Users\Admin\AppData\Local\Temp\med.exe
5⤵
PID:636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\med.exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
C:\Users\Admin\AppData\Local\Temp\med.exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
C:\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
C:\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
C:\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Users\Admin\AppData\Local\Temp\med.exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Users\Admin\AppData\Local\Temp\med.exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Users\Admin\AppData\Local\Temp\med.exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
\Windows\SysWOW64\asasasasas.Exe
MD5
21bb098ec4f345d81f4eb2843ad8e6bd

SHA1
6e217ca6f104fa09f1e5546f6bcb51cbe00f11c4

SHA256
842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2

SHA512
fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682

Download Submit
memory/752-63-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-66-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-71-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-70-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-72-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-74-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-73-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-62-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/752-76-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-69-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-67-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-68-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/752-65-0x000000000039D000-0x000000000039F000-memory.dmp

Filesize
8KB

Download
memory/1248-85-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1248-86-0x00000000003FD000-0x00000000003FF000-memory.dmp

Filesize
8KB

Download
memory/1248-88-0x00000000003FD000-0x00000000003FF000-memory.dmp

Filesize
8KB

Download
memory/1248-89-0x00000000003FD000-0x00000000003FF000-memory.dmp

Filesize
8KB

Download
memory/1248-90-0x00000000003FD000-0x00000000003FF000-memory.dmp

Filesize
8KB

Download
memory/1472-79-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1472-75-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1572-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads