njrat | 8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f

Analysis

max time kernel
155s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
Size

332KB
MD5

349d353065a260a6cb340666ae9d5f06
SHA1

049c76e212e1e7368c368eb1b47bf18df84f2d61
SHA256

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f
SHA512

ecd932d518ef32d2c6c25927c9f0298ab380651078df8b3c837ad7027875574b9bb2764f9ac22bc30d65f816313dbf77554b688bcbaec5a1519c0fa6f1fe5293

Score

10^/10

njrat victime evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victime

kouji.ddns.net:1177

Mutex

3c8548e6ad9ecf00a0a44c81e84745f1

Attributes

reg_key
3c8548e6ad9ecf00a0a44c81e84745f1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Crack.exesuper.exewinlogon.exe

pid process

1156 Crack.exe
1944 super.exe
1964 winlogon.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1156	Crack.exe
1944	super.exe
1964	winlogon.exe

Drops startup file 2 IoCs

Processes:

winlogon.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c8548e6ad9ecf00a0a44c81e84745f1.exe	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c8548e6ad9ecf00a0a44c81e84745f1.exe	winlogon.exe

Loads dropped DLL 10 IoCs

Processes:

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exesuper.exe

pid	process
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
1944	super.exe
1944	super.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3c8548e6ad9ecf00a0a44c81e84745f1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\3c8548e6ad9ecf00a0a44c81e84745f1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe

Drops file in Program Files directory 6 IoCs

Processes:

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\udat\Crack.exe	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
File created	C:\Program Files (x86)\udat\super.exe	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
File opened for modification	C:\Program Files (x86)\udat\super.exe	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
File opened for modification	C:\Program Files (x86)\udat	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
File created	C:\Program Files (x86)\udat\__tmp_rar_sfx_access_check_199478	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
File created	C:\Program Files (x86)\udat\Crack.exe	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Crack.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main Crack.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Crack.exe

pid process

1156 Crack.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	Crack.exe

pid	process
1156	Crack.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

winlogon.exe

description	pid	process
Token: SeDebugPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe
Token: 33	1964	winlogon.exe
Token: SeIncBasePriorityPrivilege	1964	winlogon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Crack.exe

pid process

1156 Crack.exe
1156 Crack.exe

pid	process
1156	Crack.exe
1156	Crack.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exesuper.exewinlogon.exe

description	pid	process	target process
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1156	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	Crack.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1628 wrote to memory of 1944	1628	8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe	super.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1944 wrote to memory of 1964	1944	super.exe	winlogon.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe
PID 1964 wrote to memory of 2012	1964	winlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
"C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files (x86)\udat\Crack.exe
"C:\Program Files (x86)\udat\Crack.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Program Files (x86)\udat\super.exe
"C:\Program Files (x86)\udat\super.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE
4⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\udat\Crack.exe
MD5
1c626edcdad864d70de9befdf08bf9c1

SHA1
cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

SHA256
e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

SHA512
b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

Download Submit
C:\Program Files (x86)\udat\Crack.exe
MD5
1c626edcdad864d70de9befdf08bf9c1

SHA1
cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

SHA256
e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

SHA512
b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

Download Submit
C:\Program Files (x86)\udat\super.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
C:\Program Files (x86)\udat\super.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
\Program Files (x86)\udat\Crack.exe
MD5
1c626edcdad864d70de9befdf08bf9c1

SHA1
cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

SHA256
e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

SHA512
b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

Download Submit
\Program Files (x86)\udat\Crack.exe
MD5
1c626edcdad864d70de9befdf08bf9c1

SHA1
cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

SHA256
e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

SHA512
b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

Download Submit
\Program Files (x86)\udat\Crack.exe
MD5
1c626edcdad864d70de9befdf08bf9c1

SHA1
cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

SHA256
e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

SHA512
b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

Download Submit
\Program Files (x86)\udat\Crack.exe
MD5
1c626edcdad864d70de9befdf08bf9c1

SHA1
cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

SHA256
e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

SHA512
b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

Download Submit
\Program Files (x86)\udat\super.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
\Program Files (x86)\udat\super.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
\Program Files (x86)\udat\super.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
\Program Files (x86)\udat\super.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
MD5
a82bd9f52870c56eaf1c5b671675fde3

SHA1
497194d1414df0581ea12da2f38c3da71ef81b70

SHA256
99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

SHA512
eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

Download Submit
memory/1628-54-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/1944-69-0x0000000000A00000-0x0000000000A3E000-memory.dmp

Filesize
248KB

Download
memory/1944-70-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1944-71-0x0000000000640000-0x00000000007B3000-memory.dmp

Filesize
1.4MB

Download
memory/1964-86-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/1964-87-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download