njrat | a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
15-04-2022 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
Size

3.2MB
MD5

763831ebb67edc0547d2caf7c7b999b8
SHA1

c7af5d05e46416cc2a0c33c8b09eb872c7b70a91
SHA256

a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb
SHA512

25004abb59bd61d8991d435d0428269f40b9afb21c9da1e658b83eb79c34f9e246fa2ef45573d05997839f37a15d470ff8e177e9bcc1166562310ced7199495a

Score

10^/10

njrat q persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

ratchomli.hopto.org:3632

Mutex

631447834c0607d77dbc354603149bca

Attributes

reg_key
631447834c0607d77dbc354603149bca
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

CDS.execrypted.exe

pid process

3672 CDS.exe
3148 crypted.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

CDS.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation CDS.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

3672 CDS.exe

pid	process
3672	CDS.exe
3148	crypted.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	CDS.exe

pid	process
3672	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

3672 CDS.exe
3672 CDS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4180 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4180 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

3672 CDS.exe
3672 CDS.exe

pid	process
3672	CDS.exe
3672	CDS.exe

description	pid	process
Token: 33	4180	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4180	AUDIODG.EXE

pid	process
3672	CDS.exe
3672	CDS.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exeCDS.execrypted.exefondue.exe

description	pid	process	target process
PID 4424 wrote to memory of 3672	4424	a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe	CDS.exe
PID 4424 wrote to memory of 3672	4424	a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe	CDS.exe
PID 4424 wrote to memory of 3672	4424	a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe	CDS.exe
PID 3672 wrote to memory of 3148	3672	CDS.exe	crypted.exe
PID 3672 wrote to memory of 3148	3672	CDS.exe	crypted.exe
PID 3672 wrote to memory of 3148	3672	CDS.exe	crypted.exe
PID 3148 wrote to memory of 1412	3148	crypted.exe	fondue.exe
PID 3148 wrote to memory of 1412	3148	crypted.exe	fondue.exe
PID 3148 wrote to memory of 1412	3148	crypted.exe	fondue.exe
PID 1412 wrote to memory of 1808	1412	fondue.exe	FonDUE.EXE
PID 1412 wrote to memory of 1808	1412	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe
"C:\Users\Admin\AppData\Local\Temp\a836f921462e6240150cd6c26d59a8e57f2a2f5c4f520568622e3fe4e2828ceb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:1808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c4 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
103KB

MD5
ec19695b37f684b23026fe14877480b7

SHA1
a1d47b2549d6b4dd0b0916f9e5d3a59fd1e840c0

SHA256
c17ff2eb8d083b4301023a4b9daf3277a60572a2b704de21203e2e66ea729f1c

SHA512
ec565ff65149c9c7d2143b329d3993ff73bb03302160d31472e178516528fb3e60c9165197c53dbbfa5e05d17266be4774f606397838b07718f05097b64573fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
103KB

MD5
2d4c6ed25a730ff2bcafa5be70f5b125

SHA1
aa6bee72499f3b82cd119ad28347932e331cb713

SHA256
b4973c0f8c47b08dc82de8f13cdb920e1f535433c3d0e1f87a0f3bc47e9f30d1

SHA512
f4c6d25c827f13955cc86890bc791d2ec0f3ae29590c04954f7dd89556143bd6399b02aae0a4b5f225d4022920d568fd73329ee2087afbf081716b4abecb1d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
103KB

MD5
2d4c6ed25a730ff2bcafa5be70f5b125

SHA1
aa6bee72499f3b82cd119ad28347932e331cb713

SHA256
b4973c0f8c47b08dc82de8f13cdb920e1f535433c3d0e1f87a0f3bc47e9f30d1

SHA512
f4c6d25c827f13955cc86890bc791d2ec0f3ae29590c04954f7dd89556143bd6399b02aae0a4b5f225d4022920d568fd73329ee2087afbf081716b4abecb1d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/1412-142-0x0000000000000000-mapping.dmp

Download
memory/1808-143-0x0000000000000000-mapping.dmp

Download
memory/3148-139-0x0000000000000000-mapping.dmp

Download
memory/3672-130-0x0000000000000000-mapping.dmp

Download