njrat | 02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-05-2022 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
Size

69KB
MD5

d88a7f3413515322025b9ebedeb64d9a
SHA1

2595386c3623224afe8ebfa37bae04cbe7a94e3d
SHA256

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d
SHA512

84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Score

10^/10

njrat bot trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bot

socketw1.duckdns.org:8108

Mutex

e031c5a7cf5b88cb0b44a56f08e29a21

Attributes

reg_key
e031c5a7cf5b88cb0b44a56f08e29a21
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exesocket1.exesocket1.exesocket1.exe

pid process

1264 02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
1384 socket1.exe
688 socket1.exe
1976 socket1.exe

pid	process
1264	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
1384	socket1.exe
688	socket1.exe
1976	socket1.exe

Drops startup file 2 IoCs

Processes:

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exesocket1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Maxtor.js	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Maxtor.js	socket1.exe

Loads dropped DLL 4 IoCs

Processes:

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exesocket1.exesocket1.exe

pid	process
1996	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
1264	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
1384	socket1.exe
688	socket1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exesocket1.exe

description	pid	process
Token: SeDebugPrivilege	1996	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
Token: SeDebugPrivilege	1384	socket1.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exesocket1.exesocket1.exe

description	pid	process	target process
PID 1996 wrote to memory of 1264	1996	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
PID 1996 wrote to memory of 1264	1996	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
PID 1996 wrote to memory of 1264	1996	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
PID 1996 wrote to memory of 1264	1996	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
PID 1264 wrote to memory of 1384	1264	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	socket1.exe
PID 1264 wrote to memory of 1384	1264	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	socket1.exe
PID 1264 wrote to memory of 1384	1264	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	socket1.exe
PID 1264 wrote to memory of 1384	1264	02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe	socket1.exe
PID 1384 wrote to memory of 688	1384	socket1.exe	socket1.exe
PID 1384 wrote to memory of 688	1384	socket1.exe	socket1.exe
PID 1384 wrote to memory of 688	1384	socket1.exe	socket1.exe
PID 1384 wrote to memory of 688	1384	socket1.exe	socket1.exe
PID 688 wrote to memory of 1976	688	socket1.exe	socket1.exe
PID 688 wrote to memory of 1976	688	socket1.exe	socket1.exe
PID 688 wrote to memory of 1976	688	socket1.exe	socket1.exe
PID 688 wrote to memory of 1976	688	socket1.exe	socket1.exe

C:\Users\Admin\AppData\Local\Temp\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
"C:\Users\Admin\AppData\Local\Temp\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Roaming\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
"C:\Users\Admin\AppData\Roaming\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\socket1.exe
"C:\Users\Admin\AppData\Local\Temp\socket1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Roaming\socket1.exe
"C:\Users\Admin\AppData\Roaming\socket1.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\socket1.exe
"C:\Users\Admin\AppData\Local\Temp\socket1.exe"
5⤵
- Executes dropped EXE
PID:1976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Roaming\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Roaming\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Maxtor.js
Filesize
148B

MD5
a4ceb62063ad72e7d8606295d37acb7a

SHA1
d127b0f789a5b6625b60005e0c314021dbd44a39

SHA256
79c221e1a5dd2cf441f3ac26d1b4c749d1210c00f3bf1c3cf649b1266536183a

SHA512
57faa7e562401e518b062bc4b84a7d21abe8dfb7ac840f9047e56b842c0784bad43b9cb934d7085155c08dc0a61955263927c8d8de04efc970ec8221dd1584b4

Download Submit
C:\Users\Admin\AppData\Roaming\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
C:\Users\Admin\AppData\Roaming\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
\Users\Admin\AppData\Local\Temp\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
\Users\Admin\AppData\Local\Temp\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
\Users\Admin\AppData\Roaming\02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
\Users\Admin\AppData\Roaming\socket1.exe
Filesize
69KB

MD5
d88a7f3413515322025b9ebedeb64d9a

SHA1
2595386c3623224afe8ebfa37bae04cbe7a94e3d

SHA256
02e1fec4856b8cc2795a36e5d33a16faf6ac9a235c7c7317c2420254d1b2838d

SHA512
84983aa1fcd8befe05a924adc3d812602520929155fd4ec6ea3471b73dafafe78df0c72cad4e982889e1d280d2075fac5fd02d35ebea4ab8e5347616df692bdc

Download Submit
memory/688-111-0x0000000074260000-0x00000000743F4000-memory.dmp

Filesize
1.6MB

Download
memory/688-110-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/688-109-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/688-108-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/688-107-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/688-98-0x0000000000000000-mapping.dmp

Download
memory/688-112-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/688-120-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/688-101-0x00000000012C0000-0x00000000012D4000-memory.dmp

Filesize
80KB

Download
memory/688-121-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/688-123-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/688-126-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1264-93-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-96-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1264-79-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1264-64-0x0000000000000000-mapping.dmp

Download
memory/1264-78-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1264-67-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/1264-87-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1264-80-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1264-89-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1264-74-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1264-73-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1264-76-0x0000000074260000-0x00000000743F4000-memory.dmp

Filesize
1.6MB

Download
memory/1264-75-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-77-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1384-105-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1384-85-0x0000000000870000-0x0000000000884000-memory.dmp

Filesize
80KB

Download
memory/1384-91-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1384-92-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1384-94-0x0000000074260000-0x00000000743F4000-memory.dmp

Filesize
1.6MB

Download
memory/1384-82-0x0000000000000000-mapping.dmp

Download
memory/1384-90-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1384-103-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1384-104-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1384-88-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1384-106-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1384-95-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1976-115-0x0000000000000000-mapping.dmp

Download
memory/1976-127-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1976-128-0x0000000074260000-0x00000000743F4000-memory.dmp

Filesize
1.6MB

Download
memory/1976-125-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1976-124-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1976-122-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1976-118-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1996-62-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1996-60-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1996-61-0x0000000074260000-0x00000000743F4000-memory.dmp

Filesize
1.6MB

Download
memory/1996-59-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1996-58-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1996-57-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1996-71-0x0000000074400000-0x00000000745D1000-memory.dmp

Filesize
1.8MB

Download
memory/1996-56-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/1996-54-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/1996-72-0x0000000070900000-0x000000007161D000-memory.dmp

Filesize
13.1MB

Download
memory/1996-69-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1996-70-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1996-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads