Behavioral Report

General

Target

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe
Size

612KB
MD5

f414c142f690168170dc839b538fae62
SHA1

f1695b6b8b52c13148d2bca87269b9d11479f2c5
SHA256

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7
SHA512

e7eb28451c72366c9d05421902ecccbc296c7173f2481b5c2a654fe967ffb6661ff23246cbe67698f788e9646a3880b3d29c1c7ed39ee7dc456c202f2e454e7c

Score

10^/10

njrat 1 trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

1

C2

127.0.0.1:6666

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Server.sfx.exeServer.exe

pid process

4580 Server.sfx.exe
4840 Server.exe

pid	process
4580	Server.sfx.exe
4840	Server.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exeServer.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	Server.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

4840 Server.exe

pid	process
4840	Server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Server.exe

description	pid	process
Token: SeDebugPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe
Token: 33	4840	Server.exe
Token: SeIncBasePriorityPrivilege	4840	Server.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.execmd.exeServer.sfx.exe

description	pid	process	target process
PID 2560 wrote to memory of 1380	2560	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 2560 wrote to memory of 1380	2560	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 2560 wrote to memory of 1380	2560	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 1380 wrote to memory of 4580	1380	cmd.exe	Server.sfx.exe
PID 1380 wrote to memory of 4580	1380	cmd.exe	Server.sfx.exe
PID 1380 wrote to memory of 4580	1380	cmd.exe	Server.sfx.exe
PID 4580 wrote to memory of 4840	4580	Server.sfx.exe	Server.exe
PID 4580 wrote to memory of 4840	4580	Server.sfx.exe	Server.exe
PID 4580 wrote to memory of 4840	4580	Server.sfx.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe
"C:\Users\Admin\AppData\Local\Temp\211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe"
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\start.bat" "
- Suspicious use of WriteProcessMemory
PID:1380

C:\Server.sfx.exe
Server.sfx -pSALkljltjlalljjljltylj745464yklsalskaLDKSALDLKa -dc:\
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Server.sfx.exe
Filesize
311KB

MD5
5603d3a3fc564364bc50f3e8c8ee0871

SHA1
48abcc70a6658890561cc408ca07f6503bc0307b

SHA256
da5fb964922d3ac61001835ec547b4d9ccbbd53cdaceccfe1d90a7cae9425943

SHA512
359140f49616c982d595f44408f8fed69e60a56a2d9054a9111498a596d9ccc94de952f2db015d7c6ba3df78d0b6d07ba6279e8948f33fa25a9651de74a81d3b

Download Submit
C:\Server.sfx.exe
Filesize
311KB

MD5
5603d3a3fc564364bc50f3e8c8ee0871

SHA1
48abcc70a6658890561cc408ca07f6503bc0307b

SHA256
da5fb964922d3ac61001835ec547b4d9ccbbd53cdaceccfe1d90a7cae9425943

SHA512
359140f49616c982d595f44408f8fed69e60a56a2d9054a9111498a596d9ccc94de952f2db015d7c6ba3df78d0b6d07ba6279e8948f33fa25a9651de74a81d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
C:\start.bat
Filesize
79B

MD5
02b93d7386a2aab2ebad3ab046ad135c

SHA1
5b9d035881267a963f5ea51c22f94ac508251e1c

SHA256
eed18e4fdbedd043805b3ceea7e4e07a86ee6ad4b31fc9ef58baa187a3d5b991

SHA512
fe803a41d9ef51c2cf2b3fbaef8e8fff48120ce09e92003690dfbb5bbd215aff39af5d4875d6637852a8344c244de9b29b51ce5487e4122a44636c560113bfa2

Download Submit
memory/1380-124-0x0000000000000000-mapping.dmp

Download
memory/4580-126-0x0000000000000000-mapping.dmp

Download
memory/4840-129-0x0000000000000000-mapping.dmp

Download
memory/4840-132-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/4840-133-0x0000000005890000-0x000000000592C000-memory.dmp

Filesize
624KB

Download
memory/4840-134-0x00000000061D0000-0x0000000006774000-memory.dmp

Filesize
5MB

Download
memory/4840-135-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/4840-136-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Downloads