njrat | c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543

General

Target

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
Size

203KB
MD5

7f58142ad487ca166fb71be971d97bc9
SHA1

6c1bca26d7ea9e6f2ded29d84759aade2cc844bb
SHA256

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543
SHA512

2848e3af53cc32f5dcdbcf9be400b9defbce9642bc60863ada3cde301edf785b0795fd50782c586314beb95cc3293b75b69f4500817de6890dcdb484fab7c621

Score

10^/10

njrat mybot evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

85.140.114.45:7777

Mutex

061de4c451a1c1cb6f111696c953d5d6

Attributes

reg_key
061de4c451a1c1cb6f111696c953d5d6
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Client.exeWindowsServices.exe

pid process

3316 Client.exe
3492 WindowsServices.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Client.exe

Drops startup file 2 IoCs

Processes:

WindowsServices.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061de4c451a1c1cb6f111696c953d5d6.exe	WindowsServices.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061de4c451a1c1cb6f111696c953d5d6.exe	WindowsServices.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WindowsServices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\061de4c451a1c1cb6f111696c953d5d6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\061de4c451a1c1cb6f111696c953d5d6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServices.exe\" .."	WindowsServices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exe

pid	process
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe
3316	Client.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Client.exeWindowsServices.exe

description	pid	process
Token: SeDebugPrivilege	3316	Client.exe
Token: SeDebugPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe
Token: 33	3492	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	3492	WindowsServices.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4800 OpenWith.exe

pid	process
4800	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exeClient.exeWindowsServices.exe

description	pid	process	target process
PID 3688 wrote to memory of 3316	3688	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 3688 wrote to memory of 3316	3688	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 3688 wrote to memory of 3316	3688	c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe	Client.exe
PID 3316 wrote to memory of 3492	3316	Client.exe	WindowsServices.exe
PID 3316 wrote to memory of 3492	3316	Client.exe	WindowsServices.exe
PID 3316 wrote to memory of 3492	3316	Client.exe	WindowsServices.exe
PID 3492 wrote to memory of 3596	3492	WindowsServices.exe	netsh.exe
PID 3492 wrote to memory of 3596	3492	WindowsServices.exe	netsh.exe
PID 3492 wrote to memory of 3596	3492	WindowsServices.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe
"C:\Users\Admin\AppData\Local\Temp\c900116f26c56d2773337522219e4aaaa73a0473be6fcf6739d8e964488c3543.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
4⤵
PID:3596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe

Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe

Filesize
31KB

MD5
3822f9a5bcd0c2e95cd043de39854a90

SHA1
e5e90f53baf50001f8ca0442f0773b10a90ec809

SHA256
b8d04fc3c0b254c89e1c0c7465d38ea5a6eac3ed6b20c1e8a7217da2f2d545cc

SHA512
f5804b6b1ddd4bd2dd2255f683fbca9ef56244728120d9977ca1ab15674c59fa03e04852bb05c50b9df1dfa2454fac22fd4f52bec6f752431305c429dc54d01e

Download Submit
memory/3316-130-0x0000000000000000-mapping.dmp

Download
memory/3316-133-0x00000000736C0000-0x0000000073C71000-memory.dmp

Filesize
5.7MB

Download
memory/3492-134-0x0000000000000000-mapping.dmp

Download
memory/3492-137-0x00000000736C0000-0x0000000073C71000-memory.dmp

Filesize
5.7MB

Download
memory/3596-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads