njrat | 4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d

General

Target

4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
Size

76KB
MD5

6ba4110a57c59dcbb40834a764696180
SHA1

8df62aafd0105f9bdf0b57caa4548ca8e9576b5b
SHA256

4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d
SHA512

d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e

Score

10^/10

njrat youtube evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Youtube

C2

194.33.45.46:4785

Mutex

7cd689923ff88e7744796cbd311fd268

Attributes

reg_key
7cd689923ff88e7744796cbd311fd268
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2188 svchost.exe
216 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2188	svchost.exe
216	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7cd689923ff88e7744796cbd311fd268.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7cd689923ff88e7744796cbd311fd268.exe	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FiNYJrWaQB = "C:\\Users\\Admin\\AppData\\Roaming\\kYJMXmSfCe\\SiGzAXPnTd.exe"	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cd689923ff88e7744796cbd311fd268 = "\"C:\\ProgramData\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7cd689923ff88e7744796cbd311fd268 = "\"C:\\ProgramData\\svchost.exe\" .."	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exesvchost.exe

description	pid	process	target process
PID 4596 set thread context of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 2188 set thread context of 216	2188	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe
Token: 33	216	svchost.exe
Token: SeIncBasePriorityPrivilege	216	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4596 wrote to memory of 4392	4596	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
PID 4392 wrote to memory of 2188	4392	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	svchost.exe
PID 4392 wrote to memory of 2188	4392	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	svchost.exe
PID 4392 wrote to memory of 2188	4392	4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 2188 wrote to memory of 216	2188	svchost.exe	svchost.exe
PID 216 wrote to memory of 1244	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 1244	216	svchost.exe	netsh.exe
PID 216 wrote to memory of 1244	216	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
"C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe
"C:\Users\Admin\AppData\Local\Temp\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4392

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
5⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
Filesize
76KB

MD5
6ba4110a57c59dcbb40834a764696180

SHA1
8df62aafd0105f9bdf0b57caa4548ca8e9576b5b

SHA256
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d

SHA512
d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e

Download Submit
C:\ProgramData\svchost.exe
Filesize
76KB

MD5
6ba4110a57c59dcbb40834a764696180

SHA1
8df62aafd0105f9bdf0b57caa4548ca8e9576b5b

SHA256
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d

SHA512
d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e

Download Submit
C:\ProgramData\svchost.exe
Filesize
76KB

MD5
6ba4110a57c59dcbb40834a764696180

SHA1
8df62aafd0105f9bdf0b57caa4548ca8e9576b5b

SHA256
4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d

SHA512
d17035cfab6572e61a3ebb1b2938ee025ae9302d1943efd72d437db8f56cfb28ebcb8e53e283a311da6d959f1b57daf94e8314bc742b3d53890effca8ddfe95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4a2acbd77245e50f0348b7efcb0009903c55d4585b00f49f832beaf285b4b54d.exe.log
Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
memory/216-139-0x0000000000000000-mapping.dmp

Download
memory/216-145-0x0000000005E50000-0x0000000005E5A000-memory.dmp

Filesize
40KB

Download
memory/216-144-0x0000000005EB0000-0x0000000005F42000-memory.dmp

Filesize
584KB

Download
memory/1244-143-0x0000000000000000-mapping.dmp

Download
memory/2188-136-0x0000000000000000-mapping.dmp

Download
memory/4392-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4392-133-0x0000000000000000-mapping.dmp

Download
memory/4596-130-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/4596-132-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/4596-131-0x0000000004D30000-0x0000000004DCC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads