njrat | c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

General

Target

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
Size

37KB
MD5

fe539f5b615a9dbb6c67e91499888daf
SHA1

267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
SHA256

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
SHA512

cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Score

10^/10

njrat karochedauni evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

karochedauni

C2

194.34.132.152:7576

Mutex

e4cef66ebf3fdf7f22614d89de91686c

Attributes

reg_key
e4cef66ebf3fdf7f22614d89de91686c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

extrimhack_private.exe

pid process

2688 extrimhack_private.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2688	extrimhack_private.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe

Drops startup file 2 IoCs

Processes:

extrimhack_private.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4cef66ebf3fdf7f22614d89de91686c.exe	extrimhack_private.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4cef66ebf3fdf7f22614d89de91686c.exe	extrimhack_private.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3984 taskkill.exe

pid	process
3984	taskkill.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

taskkill.exeextrimhack_private.exe

description	pid	process
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe
Token: 33	2688	extrimhack_private.exe
Token: SeIncBasePriorityPrivilege	2688	extrimhack_private.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exeextrimhack_private.exe

description	pid	process	target process
PID 3248 wrote to memory of 2688	3248	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 3248 wrote to memory of 2688	3248	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 3248 wrote to memory of 2688	3248	c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe	extrimhack_private.exe
PID 2688 wrote to memory of 4216	2688	extrimhack_private.exe	netsh.exe
PID 2688 wrote to memory of 4216	2688	extrimhack_private.exe	netsh.exe
PID 2688 wrote to memory of 4216	2688	extrimhack_private.exe	netsh.exe
PID 2688 wrote to memory of 3984	2688	extrimhack_private.exe	taskkill.exe
PID 2688 wrote to memory of 3984	2688	extrimhack_private.exe	taskkill.exe
PID 2688 wrote to memory of 3984	2688	extrimhack_private.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe
"C:\Users\Admin\AppData\Local\Temp\c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
"C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe" "extrimhack_private.exe" ENABLE
3⤵
PID:4216

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
Filesize
37KB

MD5
fe539f5b615a9dbb6c67e91499888daf

SHA1
267e7b00433be2c8ac5d1c8a4ee1d90065d8094b

SHA256
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

SHA512
cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Download Submit
C:\Users\Admin\AppData\Local\Temp\extrimhack_private.exe
Filesize
37KB

MD5
fe539f5b615a9dbb6c67e91499888daf

SHA1
267e7b00433be2c8ac5d1c8a4ee1d90065d8094b

SHA256
c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317

SHA512
cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a

Download Submit
memory/2688-131-0x0000000000000000-mapping.dmp

Download
memory/2688-134-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3248-130-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3984-136-0x0000000000000000-mapping.dmp

Download
memory/4216-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads