njrat | 60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549

General

Target

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
Size

113KB
MD5

804ab4cb9903d259120e591ac565e5c0
SHA1

11955010086627d54c94c1172455c71417f0a31d
SHA256

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549
SHA512

180b4eaf31a94ab689e5c4214f521f88e3fa7c6ca273e2e3ae86f65fa9140d743e8a2a996c441d06df39731b2235d73e59c34dc0cd195214475911f1f73ab528

Score

10^/10

njrat hack trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hack

C2

thec0de-22249.portmap.io:22249

Mutex

ac92d1ea6bee0411dba544616f4313da

Attributes

reg_key
ac92d1ea6bee0411dba544616f4313da
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

228 server.exe

pid	process
228	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe

description	pid	process	target process
PID 1768 set thread context of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

776 228 WerFault.exe server.exe

pid	pid_target	process	target process
776	228	WerFault.exe	server.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exeserver.exe

pid	process
1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
228	server.exe
228	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
Token: SeDebugPrivilege	228	server.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe

description	pid	process	target process
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 1768 wrote to memory of 4092	1768	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
PID 4092 wrote to memory of 228	4092	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	server.exe
PID 4092 wrote to memory of 228	4092	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	server.exe
PID 4092 wrote to memory of 228	4092	60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
"C:\Users\Admin\AppData\Local\Temp\60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe
"C:\Users\Admin\AppData\Local\Temp\60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 18912
4⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 228 -ip 228
1⤵
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549.exe.log
Filesize
410B

MD5
24cfd42a8de70b38ed70e1f8cf4eda1c

SHA1
e447168fd38da9175084b36a06c3e9bbde99064c

SHA256
93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd

SHA512
5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
113KB

MD5
804ab4cb9903d259120e591ac565e5c0

SHA1
11955010086627d54c94c1172455c71417f0a31d

SHA256
60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549

SHA512
180b4eaf31a94ab689e5c4214f521f88e3fa7c6ca273e2e3ae86f65fa9140d743e8a2a996c441d06df39731b2235d73e59c34dc0cd195214475911f1f73ab528

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
113KB

MD5
804ab4cb9903d259120e591ac565e5c0

SHA1
11955010086627d54c94c1172455c71417f0a31d

SHA256
60750c9f862c0e8d042d8d7be60e1701c57b2a5da6ff58dca31e54a7a0785549

SHA512
180b4eaf31a94ab689e5c4214f521f88e3fa7c6ca273e2e3ae86f65fa9140d743e8a2a996c441d06df39731b2235d73e59c34dc0cd195214475911f1f73ab528

Download Submit
memory/228-136-0x0000000000000000-mapping.dmp

Download
memory/1768-130-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/1768-131-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/1768-132-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/4092-133-0x0000000000000000-mapping.dmp

Download
memory/4092-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4092-135-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads