njrat | 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6

Analysis

max time kernel
4294211s
max time network
130s
platform
windows7_x64
resource
win7-20220223-en
submitted
10-03-2022 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
Size

2.1MB
MD5

c0d3b6f38e5253f59f2f15cdcf14edf0
SHA1

4442c0d76b86470ebd8d8cea91382107ff9ad96d
SHA256

3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6
SHA512

578d245a5e7444a741d946dd20b7e9506ac7436ed08132af7549d12f293b9e92d9c3c7174284c92a7a8802211799dc09847f3428c758da0632c471b3aa80e696

Score

10^/10

njrat hack evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacK

127.0.0.1:1234

Mutex

8a6179254fb2f1e73fe707c1a92f1876

Attributes

reg_key
8a6179254fb2f1e73fe707c1a92f1876
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Nirsoft 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe	Nirsoft
behavioral1/memory/864-62-0x0000000000F40000-0x000000000103C000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

Server.exeProcess Modules DLL.exeserver.exe

pid process

1876 Server.exe
864 Process Modules DLL.exe
292 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1876	Server.exe
864	Process Modules DLL.exe
292	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8a6179254fb2f1e73fe707c1a92f1876.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8a6179254fb2f1e73fe707c1a92f1876.exe	server.exe

Loads dropped DLL 3 IoCs

Processes:

3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exeServer.exe

pid	process
2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
1876	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a6179254fb2f1e73fe707c1a92f1876 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8a6179254fb2f1e73fe707c1a92f1876 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Process Modules DLL.exe

pid process

864 Process Modules DLL.exe

pid	process
864	Process Modules DLL.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe
Token: 33	292	server.exe
Token: SeIncBasePriorityPrivilege	292	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exeServer.exeserver.exe

description	pid	process	target process
PID 2040 wrote to memory of 1876	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Server.exe
PID 2040 wrote to memory of 1876	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Server.exe
PID 2040 wrote to memory of 1876	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Server.exe
PID 2040 wrote to memory of 1876	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Server.exe
PID 2040 wrote to memory of 864	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Process Modules DLL.exe
PID 2040 wrote to memory of 864	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Process Modules DLL.exe
PID 2040 wrote to memory of 864	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Process Modules DLL.exe
PID 2040 wrote to memory of 864	2040	3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe	Process Modules DLL.exe
PID 1876 wrote to memory of 292	1876	Server.exe	server.exe
PID 1876 wrote to memory of 292	1876	Server.exe	server.exe
PID 1876 wrote to memory of 292	1876	Server.exe	server.exe
PID 1876 wrote to memory of 292	1876	Server.exe	server.exe
PID 292 wrote to memory of 1164	292	server.exe	netsh.exe
PID 292 wrote to memory of 1164	292	server.exe	netsh.exe
PID 292 wrote to memory of 1164	292	server.exe	netsh.exe
PID 292 wrote to memory of 1164	292	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
"C:\Users\Admin\AppData\Local\Temp\3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
4⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
"C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
MD5
d27ba7e620a8c3a36b62d3a983d3fe61

SHA1
ac86faf6c358002254a032d4f7a9bdbef093c573

SHA256
3d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07

SHA512
e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
MD5
d27ba7e620a8c3a36b62d3a983d3fe61

SHA1
ac86faf6c358002254a032d4f7a9bdbef093c573

SHA256
3d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07

SHA512
e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
MD5
d27ba7e620a8c3a36b62d3a983d3fe61

SHA1
ac86faf6c358002254a032d4f7a9bdbef093c573

SHA256
3d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07

SHA512
e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
\Users\Admin\AppData\Roaming\server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
memory/292-72-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/292-73-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/864-67-0x000000001B450000-0x000000001B452000-memory.dmp

Filesize
8KB

Download
memory/864-64-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/864-62-0x0000000000F40000-0x000000000103C000-memory.dmp

Filesize
1008KB

Download
memory/864-75-0x000000001B452000-0x000000001B453000-memory.dmp

Filesize
4KB

Download
memory/864-76-0x000000001B457000-0x000000001B476000-memory.dmp

Filesize
124KB

Download
memory/1876-66-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-65-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1876-63-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-54-0x0000000075751000-0x0000000075753000-memory.dmp

Filesize
8KB

Download