njrat | a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732

Analysis

max time kernel
111s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
09-03-2022 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
Size

3.2MB
MD5

e33258409be6c2628cd2367ce1263386
SHA1

286a63a65463122c70eb82dadeb3ecca10aa68bc
SHA256

a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732
SHA512

0a10f5c4421af38785bd8fe672914574994525cfbc489e50c99c6242fead6c2720de4bc105e72db0793565f9b3ce667b28f69c890ae439dad68fab4ee161d5be

Score

10^/10

njrat hacker persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

hacker

0.tcp.ngrok.io:18133

Mutex

707b4c9b457e788982fbb6845d3f32eb

Attributes

reg_key
707b4c9b457e788982fbb6845d3f32eb
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

CDS.execrypted.exe

pid process

3396 CDS.exe
3248 crypted.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

CDS.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation CDS.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

3396 CDS.exe

pid	process
3396	CDS.exe
3248	crypted.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	CDS.exe

pid	process
3396	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

3396 CDS.exe
3396 CDS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2028 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2028 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

3396 CDS.exe
3396 CDS.exe

pid	process
3396	CDS.exe
3396	CDS.exe

description	pid	process
Token: 33	2028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2028	AUDIODG.EXE

pid	process
3396	CDS.exe
3396	CDS.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exeCDS.execrypted.exefondue.exe

description	pid	process	target process
PID 3152 wrote to memory of 3396	3152	a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe	CDS.exe
PID 3152 wrote to memory of 3396	3152	a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe	CDS.exe
PID 3152 wrote to memory of 3396	3152	a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe	CDS.exe
PID 3396 wrote to memory of 3248	3396	CDS.exe	crypted.exe
PID 3396 wrote to memory of 3248	3396	CDS.exe	crypted.exe
PID 3396 wrote to memory of 3248	3396	CDS.exe	crypted.exe
PID 3248 wrote to memory of 3108	3248	crypted.exe	fondue.exe
PID 3248 wrote to memory of 3108	3248	crypted.exe	fondue.exe
PID 3248 wrote to memory of 3108	3248	crypted.exe	fondue.exe
PID 3108 wrote to memory of 2544	3108	fondue.exe	FonDUE.EXE
PID 3108 wrote to memory of 2544	3108	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe
"C:\Users\Admin\AppData\Local\Temp\a93ed17c2c3e33f492b26db316abb8a4d32923e03b2387b3076b2e00f7e7d732.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:2544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
MD5
d7ab528ef810ec5fd2d679e09bbd20ba

SHA1
cd690dbe2bf409c709947626ed85ec87528e01e5

SHA256
0781188943a85229f4f8a692f43bdf556c65a8e47496647e9f9bc526c1c55e2d

SHA512
446890826462a064e52444819f5696a0d7226d82770c4c0f509e10cfe02f8a1d50bf8f1b79ca9a56e569d64f7222e1a1560d84c9f831698ddfdb19f7833914dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
MD5
f45f8f7c9061b9176b601b990136267d

SHA1
9f7d79e890b8a01e89afeebe600de7f8e75beb29

SHA256
c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019

SHA512
3d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
MD5
f45f8f7c9061b9176b601b990136267d

SHA1
9f7d79e890b8a01e89afeebe600de7f8e75beb29

SHA256
c5d40a6a31477379f5376a70445c642d1a4f2902aa1e3270a93d959d07322019

SHA512
3d86953f67cb6609c9550e7ecd61355c04fd9bfe93e520395bed892f7aa75a742bfabc5a68a96269ff8b6835cd9405e683410a2ba53c9f58db2e03a858e82514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit