njrat | ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20

General

Target

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
Size

229KB
MD5

7d276dfb51b873aa1fa8d512a961b8e7
SHA1

0070198c1e94602fdc435a5933990861e9d7836c
SHA256

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
SHA512

11f360bbe72a90c9364fb4f9d8d8659bb82d18745077cb85b08b158bbdabc05735f0b38a4710c42759d2bca23cbbebd0e77159228f8754ac7553ef1ccc05327e

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

urbanhuman123.duckdns.org:3131

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Tempwinlogon.exesystemupdate.exe

pid process

1724 Tempwinlogon.exe
840 systemupdate.exe

pid	process
1724	Tempwinlogon.exe
840	systemupdate.exe

Drops startup file 2 IoCs

Processes:

systemupdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe	systemupdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe	systemupdate.exe

Loads dropped DLL 1 IoCs

Processes:

Tempwinlogon.exe

pid process

1724 Tempwinlogon.exe

pid	process
1724	Tempwinlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systemupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .."	systemupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .."	systemupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Tempwinlogon.exesystemupdate.exe

pid process

1724 Tempwinlogon.exe
840 systemupdate.exe

pid	process
1724	Tempwinlogon.exe
840	systemupdate.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

systemupdate.exe

description	pid	process
Token: SeDebugPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe
Token: 33	840	systemupdate.exe
Token: SeIncBasePriorityPrivilege	840	systemupdate.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exewscript.exeTempwinlogon.exe

description	pid	process	target process
PID 2000 wrote to memory of 1624	2000	ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe	wscript.exe
PID 2000 wrote to memory of 1624	2000	ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe	wscript.exe
PID 2000 wrote to memory of 1624	2000	ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe	wscript.exe
PID 1624 wrote to memory of 1724	1624	wscript.exe	Tempwinlogon.exe
PID 1624 wrote to memory of 1724	1624	wscript.exe	Tempwinlogon.exe
PID 1624 wrote to memory of 1724	1624	wscript.exe	Tempwinlogon.exe
PID 1624 wrote to memory of 1724	1624	wscript.exe	Tempwinlogon.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe
PID 1724 wrote to memory of 840	1724	Tempwinlogon.exe	systemupdate.exe

C:\Users\Admin\AppData\Local\Temp\ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
"C:\Users\Admin\AppData\Local\Temp\ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\36C9.tmp\36CA.tmp\36CB.vbs //Nologo
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36C9.tmp\36CA.tmp\36CB.vbs
Filesize
175KB

MD5
f9a5ce69bedccc0300a55805c53d5298

SHA1
667b32641419b4d11deb03601fd6ac460fa61b70

SHA256
e3dff2b35df20d4cc148d246bd9cef6848e37e768f55156de4e5eb40f82a9cab

SHA512
530c86fee6cba3f4e3b390c8bed345dd11f2c1f10c5d51ed7de16bc90f90d85f887f99c8a6623ffd9e0c78fca38052994e7bbe2b068422c846228888ffbcd78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
memory/840-64-0x0000000000000000-mapping.dmp

Download
memory/840-68-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-55-0x0000000000000000-mapping.dmp

Download
memory/1724-58-0x0000000000000000-mapping.dmp

Download
memory/1724-62-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-61-0x0000000074C61000-0x0000000074C63000-memory.dmp

Filesize
8KB

Download
memory/2000-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads