njrat | 3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad

General

Target

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe
Size

8.7MB
MD5

e96b49168d8039c227de5c72bf41810b
SHA1

14944a4510d56864835eda74366dd93543de7e52
SHA256

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad
SHA512

0c98e82b1e454d85edd505cdae47fbdcb19651bd9bc573722ecf69f6e10a606677d2d865b590a29a542e23cf554523392aeb8bd1c26bf3153368531a36d6a2c7

Score

10^/10

njrat hack gta v evasion themida trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACK GTA V

C2

snowgato.duckdns.org:1177

Mutex

1eb07ee8c21d622a801f6a0fb9cad455

Attributes

reg_key
1eb07ee8c21d622a801f6a0fb9cad455
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Mjvefxboy.exeWswusezy.exe

pid process

4624 Mjvefxboy.exe
4528 Wswusezy.exe

pid	process
4624	Mjvefxboy.exe
4528	Wswusezy.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wswusezy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wswusezy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wswusezy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Wswusezy.exe	themida
C:\Users\Admin\AppData\Local\Temp\Wswusezy.exe	themida
behavioral2/memory/4528-141-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp	themida
behavioral2/memory/4528-142-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp	themida
behavioral2/memory/4528-143-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp	themida
behavioral2/memory/4528-144-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wswusezy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wswusezy.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wswusezy.exe

pid process

4528 Wswusezy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wswusezy.exe

pid	process
4528	Wswusezy.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Wswusezy.exe

pid process

4528 Wswusezy.exe
4528 Wswusezy.exe

pid	process
4528	Wswusezy.exe
4528	Wswusezy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4148	svchost.exe
Token: SeCreatePagefilePrivilege	4148	svchost.exe
Token: SeShutdownPrivilege	4148	svchost.exe
Token: SeCreatePagefilePrivilege	4148	svchost.exe
Token: SeShutdownPrivilege	4148	svchost.exe
Token: SeCreatePagefilePrivilege	4148	svchost.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe
Token: SeRestorePrivilege	2188	TiWorker.exe
Token: SeSecurityPrivilege	2188	TiWorker.exe
Token: SeBackupPrivilege	2188	TiWorker.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exeMjvefxboy.exefondue.exe

description	pid	process	target process
PID 4200 wrote to memory of 4624	4200	3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe	Mjvefxboy.exe
PID 4200 wrote to memory of 4624	4200	3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe	Mjvefxboy.exe
PID 4200 wrote to memory of 4624	4200	3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe	Mjvefxboy.exe
PID 4624 wrote to memory of 4548	4624	Mjvefxboy.exe	fondue.exe
PID 4624 wrote to memory of 4548	4624	Mjvefxboy.exe	fondue.exe
PID 4624 wrote to memory of 4548	4624	Mjvefxboy.exe	fondue.exe
PID 4548 wrote to memory of 4764	4548	fondue.exe	FonDUE.EXE
PID 4548 wrote to memory of 4764	4548	fondue.exe	FonDUE.EXE
PID 4200 wrote to memory of 4528	4200	3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe	Wswusezy.exe
PID 4200 wrote to memory of 4528	4200	3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe	Wswusezy.exe

C:\Users\Admin\AppData\Local\Temp\3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe
"C:\Users\Admin\AppData\Local\Temp\3fe6e95aaf5e6563084597ae6a03283dc6e8c2d6be2d73b0ffd148f20796baad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\Mjvefxboy.exe
"C:\Users\Admin\AppData\Local\Temp\Mjvefxboy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\Wswusezy.exe
"C:\Users\Admin\AppData\Local\Temp\Wswusezy.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mjvefxboy.exe

MD5
dec36bf7639ccc492d17d817bb9743ee

SHA1
0a9d1d4f48c03d07cd43515b34281c16cac15c1c

SHA256
6165dd61ae8c210fa5264c8efae10e8c1414316d494dee1b50418876aeacae24

SHA512
1bf8e52d0e9dc3b02987397343a052699465e5d1a87b58a6b3746a8833af2946053f0440c15cb1343e0d89485ea79b474386b76fe350706d9185a15e57c3a2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mjvefxboy.exe

MD5
dec36bf7639ccc492d17d817bb9743ee

SHA1
0a9d1d4f48c03d07cd43515b34281c16cac15c1c

SHA256
6165dd61ae8c210fa5264c8efae10e8c1414316d494dee1b50418876aeacae24

SHA512
1bf8e52d0e9dc3b02987397343a052699465e5d1a87b58a6b3746a8833af2946053f0440c15cb1343e0d89485ea79b474386b76fe350706d9185a15e57c3a2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wswusezy.exe

MD5
f52a6ae71fc0404d0359dc2775bfd56b

SHA1
c3b16715c3e5bb43ab6f1c7ef27c4e9e8f896d28

SHA256
b76a79a90072e501c691fe8bde47b693f75be1ca254a034ec03fedf1862e6e10

SHA512
f1201b5dc4e735c912ff20b60601cd8c04df30a7f86dd87be4d704cf2575b033c88448d9ab7af84395bb1747889f5c8ace6576cd50c0722ae936d0fa01649781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wswusezy.exe

MD5
f52a6ae71fc0404d0359dc2775bfd56b

SHA1
c3b16715c3e5bb43ab6f1c7ef27c4e9e8f896d28

SHA256
b76a79a90072e501c691fe8bde47b693f75be1ca254a034ec03fedf1862e6e10

SHA512
f1201b5dc4e735c912ff20b60601cd8c04df30a7f86dd87be4d704cf2575b033c88448d9ab7af84395bb1747889f5c8ace6576cd50c0722ae936d0fa01649781

Download Submit
memory/4148-147-0x00000261711C0000-0x00000261711C4000-memory.dmp

Filesize
16KB

Download
memory/4148-146-0x000002616EB20000-0x000002616EB30000-memory.dmp

Filesize
64KB

Download
memory/4148-145-0x000002616E560000-0x000002616E570000-memory.dmp

Filesize
64KB

Download
memory/4200-134-0x0000000002E90000-0x0000000002E9A000-memory.dmp

Filesize
40KB

Download
memory/4200-135-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4200-130-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/4200-133-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/4200-132-0x0000000002C40000-0x0000000002CD2000-memory.dmp

Filesize
584KB

Download
memory/4200-131-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/4528-140-0x00007FF956F30000-0x00007FF956F32000-memory.dmp

Filesize
8KB

Download
memory/4528-141-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp

Filesize
21.8MB

Download
memory/4528-142-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp

Filesize
21.8MB

Download
memory/4528-143-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp

Filesize
21.8MB

Download
memory/4528-144-0x00007FF6CB360000-0x00007FF6CC938000-memory.dmp

Filesize
21.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads