njrat | dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

General

Target

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Size

396KB
MD5

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1

dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256

dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA512

1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Score

10^/10

njrat hacked persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

104.243.35.208:4004

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

Payload.exePayload.exe

pid process

664 Payload.exe
1536 Payload.exe

pid	process
664	Payload.exe
1536	Payload.exe

Drops startup file 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Loads dropped DLL 1 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

pid process

2040 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

pid	process
2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 1556 set thread context of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 664 set thread context of 1536	664	Payload.exe	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payload.exe

description pid process

Token: SeDebugPrivilege 1536 Payload.exe
Token: 33 1536 Payload.exe
Token: SeIncBasePriorityPrivilege 1536 Payload.exe

description	pid	process
Token: SeDebugPrivilege	1536	Payload.exe
Token: 33	1536	Payload.exe
Token: SeIncBasePriorityPrivilege	1536	Payload.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1556 wrote to memory of 2040	1556	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 2040 wrote to memory of 664	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 2040 wrote to memory of 664	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 2040 wrote to memory of 664	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 2040 wrote to memory of 664	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 2040 wrote to memory of 1384	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 2040 wrote to memory of 1384	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 2040 wrote to memory of 1384	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 2040 wrote to memory of 1384	2040	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe
PID 664 wrote to memory of 1536	664	Payload.exe	Payload.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1384 attrib.exe

pid	process
1384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
4305dec533b213e47666151f27321a03

SHA1
ad5e32c58bd165c64128ce02116e76b844eb0495

SHA256
b670339430811cf32cc7053cb8e9b80c8cde43998c9d22b2357d3a370149cf12

SHA512
1500f7db67762ced40e34b5a7b9d74f37fa766c725e5a44e43802535904c8537ecb80b75c9c80761ca0849f0090d153c5b92ca105c137b5f671f30262624b817

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1022B

MD5
6f2368d28f741910c6f122556254a657

SHA1
b962374626a1f96c6aa20865dddd32a390df293e

SHA256
b9c461577043f5f142417f5446f27a6b3e5b457a4fda5149e7417ed15f6b8e6d

SHA512
6f9abb9e717bb4bda7a0f142405783c390d2d0c403c37b956818c8e9c5ac4021a3079b3fa5c497188e7610338d93719e61bd09ed25f149171013c8fe801788f5

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
memory/664-79-0x0000000004CB0000-0x0000000004D02000-memory.dmp

Filesize
328KB

Download
memory/664-73-0x0000000000000000-mapping.dmp

Download
memory/664-77-0x0000000001290000-0x00000000012F8000-memory.dmp

Filesize
416KB

Download
memory/1384-76-0x0000000000000000-mapping.dmp

Download
memory/1536-86-0x000000000040837E-mapping.dmp

Download
memory/1556-58-0x0000000001FA0000-0x0000000001FA6000-memory.dmp

Filesize
24KB

Download
memory/1556-56-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1556-57-0x0000000004E40000-0x0000000004E92000-memory.dmp

Filesize
328KB

Download
memory/1556-54-0x0000000000310000-0x0000000000378000-memory.dmp

Filesize
416KB

Download
memory/1556-59-0x0000000001FB0000-0x0000000001FBE000-memory.dmp

Filesize
56KB

Download
memory/1556-55-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/2040-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-66-0x000000000040837E-mapping.dmp

Download
memory/2040-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads