njrat | e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad

Analysis

max time kernel
4294211s
max time network
128s
platform
windows7_x64
resource
win7-20220311-en
submitted
28-03-2022 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
Size

3.2MB
MD5

1f4471d1fb4cf66f97b4fefb6ce5f489
SHA1

f26121f7400b3284a5ba231678b8ca82f77cb0e1
SHA256

e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad
SHA512

f57289013e805d84d78e978adfbc663d050c92bff57c53b554977892ac355bf75caf9795ffcddb09b44c16f47b10cc10a293b1cb11178b37289c14bba4db670a

Score

10^/10

njrat zombie evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

Haf4me

Botnet

zombie

getrattedlol.inner574.kro.kr:666

Mutex

1553eeb1b07c73f12f12cb58bb315e07

Attributes

reg_key
1553eeb1b07c73f12f12cb58bb315e07
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

CDS.execrypted.exe

pid process

804 CDS.exe
740 crypted.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
804	CDS.exe
740	crypted.exe

Drops startup file 2 IoCs

Processes:

crypted.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1553eeb1b07c73f12f12cb58bb315e07.exe	crypted.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1553eeb1b07c73f12f12cb58bb315e07.exe	crypted.exe

Loads dropped DLL 8 IoCs

Processes:

e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exeCDS.execrypted.exe

pid	process
1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
804	CDS.exe
804	CDS.exe
804	CDS.exe
804	CDS.exe
804	CDS.exe
804	CDS.exe
740	crypted.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.execrypted.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\1553eeb1b07c73f12f12cb58bb315e07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\crypted.exe\" .."	crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1553eeb1b07c73f12f12cb58bb315e07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\crypted.exe\" .."	crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

804 CDS.exe
804 CDS.exe

pid	process
804	CDS.exe
804	CDS.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

crypted.exe

description	pid	process
Token: SeDebugPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe
Token: 33	740	crypted.exe
Token: SeIncBasePriorityPrivilege	740	crypted.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

804 CDS.exe
804 CDS.exe

pid	process
804	CDS.exe
804	CDS.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exeCDS.execrypted.exe

description	pid	process	target process
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 1764 wrote to memory of 804	1764	e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe	CDS.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 804 wrote to memory of 740	804	CDS.exe	crypted.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe
PID 740 wrote to memory of 1048	740	crypted.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe
"C:\Users\Admin\AppData\Local\Temp\e6e87151daaf725992dd568559325789058b681d9a615ab40ad28f23ea2a63ad.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe" "crypted.exe" ENABLE
4⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
23KB

MD5
5b492b84c9ea7a306eb200d978849ff2

SHA1
0b5f5673318e44d61026abf70b6b19006ba4a176

SHA256
5fd8a3204931d21166802abc791bf6a7508778e674c2529d0521767d657926cc

SHA512
94be06a8f4b904c40f0adc8bdd6508cfb0dae9b2f08681f11002ecb9a1eb31aa9fc182b0a73fdd3342926da1d8c008e984d70de4f4f5d284bf1d1228b3d0643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
7ddf4766f38f2afff31e9ba389e16356

SHA1
ebbf590eee2c682ca37ba7f5929920ceb0367e86

SHA256
690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1

SHA512
09e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
7ddf4766f38f2afff31e9ba389e16356

SHA1
ebbf590eee2c682ca37ba7f5929920ceb0367e86

SHA256
690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1

SHA512
09e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
4B

MD5
b326b5062b2f0e69046810717534cb09

SHA1
5ffe533b830f08a0326348a9160afafc8ada44db

SHA256
b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b

SHA512
9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
7ddf4766f38f2afff31e9ba389e16356

SHA1
ebbf590eee2c682ca37ba7f5929920ceb0367e86

SHA256
690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1

SHA512
09e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
7ddf4766f38f2afff31e9ba389e16356

SHA1
ebbf590eee2c682ca37ba7f5929920ceb0367e86

SHA256
690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1

SHA512
09e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
7ddf4766f38f2afff31e9ba389e16356

SHA1
ebbf590eee2c682ca37ba7f5929920ceb0367e86

SHA256
690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1

SHA512
09e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
7ddf4766f38f2afff31e9ba389e16356

SHA1
ebbf590eee2c682ca37ba7f5929920ceb0367e86

SHA256
690f7f4eaece0c198796dc8ab45d3920ec066667b1ade56c07254fbfd6e079a1

SHA512
09e59bc227faa516529f808b76604a205d0821ace41bca9cb393ca7afe1d106ebd98608b4a97858ddd48b2dce0cc348bf2e733a28ad779e9a688175ab7483af5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/740-71-0x0000000000000000-mapping.dmp

Download
memory/740-76-0x0000000072FF0000-0x000000007359B000-memory.dmp

Filesize
5.7MB

Download
memory/804-56-0x0000000000000000-mapping.dmp

Download
memory/1048-77-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download