njrat | c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

General

Target

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
Size

37KB
MD5

fe539f5b615a9dbb6c67e91499888daf
SHA1

267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
SHA256

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
SHA512

cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Score

10^/10

njrat karochedauni evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

karochedauni

C2

194.34.132.152:7576

Mutex

e4cef66ebf3fdf7f22614d89de91686c

Attributes

reg_key
e4cef66ebf3fdf7f22614d89de91686c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

extrimhack_private.exe

pid process

956 extrimhack_private.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
956	extrimhack_private.exe

Drops startup file 2 IoCs

Processes:

extrimhack_private.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4cef66ebf3fdf7f22614d89de91686c.exe	extrimhack_private.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4cef66ebf3fdf7f22614d89de91686c.exe	extrimhack_private.exe

Loads dropped DLL 1 IoCs

Processes:

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe

pid process

1280 c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

624 taskkill.exe

pid	process
1280	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe

pid	process
624	taskkill.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

taskkill.exeextrimhack_private.exe

description	pid	process
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe
Token: 33	956	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	956	extrimhack_private.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exeextrimhack_private.exe

description	pid	process	target process
PID 1280 wrote to memory of 956	1280	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 1280 wrote to memory of 956	1280	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 1280 wrote to memory of 956	1280	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 1280 wrote to memory of 956	1280	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 956 wrote to memory of 1208	956	extrimhack_private.exe	netsh.exe
PID 956 wrote to memory of 1208	956	extrimhack_private.exe	netsh.exe
PID 956 wrote to memory of 1208	956	extrimhack_private.exe	netsh.exe
PID 956 wrote to memory of 1208	956	extrimhack_private.exe	netsh.exe
PID 956 wrote to memory of 624	956	extrimhack_private.exe	taskkill.exe
PID 956 wrote to memory of 624	956	extrimhack_private.exe	taskkill.exe
PID 956 wrote to memory of 624	956	extrimhack_private.exe	taskkill.exe
PID 956 wrote to memory of 624	956	extrimhack_private.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
"C:\Users\Admin\AppData\Local\Temp\c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
"C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe" "extrimhack_private.exe" ENABLE
3⤵
PID:1208

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
Filesize
37KB

MD5
fe539f5b615a9dbb6c67e91499888daf

SHA1
267e7b00433be2c8ac5d1c8a4ee1d90065d8094b

SHA256
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

SHA512
cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Download Submit
C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
Filesize
37KB

MD5
fe539f5b615a9dbb6c67e91499888daf

SHA1
267e7b00433be2c8ac5d1c8a4ee1d90065d8094b

SHA256
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

SHA512
cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Download Submit
\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
Filesize
37KB

MD5
fe539f5b615a9dbb6c67e91499888daf

SHA1
267e7b00433be2c8ac5d1c8a4ee1d90065d8094b

SHA256
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

SHA512
cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Download Submit
memory/624-63-0x0000000000000000-mapping.dmp

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/956-61-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-62-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads