njrat | c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
Size

203KB
MD5

7f58142ad487ca166fb71be971d97bc9
SHA1

6c1bca26d7ea9e6f2ded29d84759aade2cc844bb
SHA256

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543
SHA512

2848e3af53cc32f5dcdbcf9be400b9defbce9642bc60863ada3cde301edf785b0795fd50782c586314beb95cc3293b75b69f4500817de6890dcdb484fab7c621

Score

10^/10

njrat mybot evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

85.140.114.45:7777

Mutex

061de4c451a1c1cb6f111696c953d5d6

Attributes

reg_key
061de4c451a1c1cb6f111696c953d5d6
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Client.exeWindowsServices.exe

pid process

928 Client.exe
1752 WindowsServices.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

WindowsServices.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061de4c451a1c1cb6f111696c953d5d6.exe	WindowsServices.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061de4c451a1c1cb6f111696c953d5d6.exe	WindowsServices.exe

Loads dropped DLL 4 IoCs

Processes:

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exeClient.exe

pid	process
1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
928	Client.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WindowsServices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\061de4c451a1c1cb6f111696c953d5d6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\061de4c451a1c1cb6f111696c953d5d6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .."	WindowsServices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.eps	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\eps_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.eps\ = "eps_auto_file"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exe

pid	process
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe
928	Client.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

Client.exeWindowsServices.exe

description	pid	process
Token: SeDebugPrivilege	928	Client.exe
Token: SeDebugPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe
Token: 33	1752	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1752	WindowsServices.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1964 AcroRd32.exe
1964 AcroRd32.exe
1964 AcroRd32.exe

pid	process
1964	AcroRd32.exe
1964	AcroRd32.exe
1964	AcroRd32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exerundll32.exeClient.exeWindowsServices.exe

description	pid	process	target process
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 976	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	rundll32.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 1260 wrote to memory of 928	1260	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 976 wrote to memory of 1964	976	rundll32.exe	AcroRd32.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 928 wrote to memory of 1752	928	Client.exe	WindowsServices.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe
PID 1752 wrote to memory of 1300	1752	WindowsServices.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
"C:\Users\Admin\AppData\Local\Temp\c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Лекало для флага ПАРУС 3600.eps
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Лекало для флага ПАРУС 3600.eps"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
4⤵
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Лекало для флага ПАРУС 3600.eps
Filesize
1.0MB

MD5
d9d1b1ca63cf488280e2bce1832e7d42

SHA1
897c40f394599cd7c06ab95e8db5fada18badc7a

SHA256
6aaeb09b3aadb5597f5b1b9e1cb845244d51345324c8ef2ddbe64e909a3d9209

SHA512
0a73a15c0e670b382b8485b9b6afd8db78bb04b3e9f1dfb203437fec35db24334452b73b19f19b02587da6e2e9b956a190746280429d634882927d9540383d21

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsServices.exe
Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
memory/928-64-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/928-60-0x0000000000000000-mapping.dmp

Download
memory/976-55-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1300-74-0x0000000000000000-mapping.dmp

Download
memory/1752-69-0x0000000000000000-mapping.dmp

Download
memory/1752-73-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-65-0x0000000000000000-mapping.dmp

Download