Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 15:10
Behavioral task
behavioral1
Sample
1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe
Resource
win10v2004-20220414-en
General
-
Target
1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe
-
Size
132KB
-
MD5
7a5141d5681b79d64e8b0c7a19785881
-
SHA1
c85ee9fd78fce19b5418bd1a65b5697ccf0d0217
-
SHA256
1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202
-
SHA512
2ae457093a18d3427804f36b21377e5f2fc5529a4e00e74b97ef106fae4783247c7b97b02808b089baeb5bda6252fca4cdf72ef66141f6269ceb97b1cbf6a321
Malware Config
Extracted
njrat
0.7d
Public
ddns81.airdns.org:18681
a319f91b31a91d1c47b040e22bd78fcd
-
reg_key
a319f91b31a91d1c47b040e22bd78fcd
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NJRAT.exepid process 3376 NJRAT.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe -
Drops startup file 2 IoCs
Processes:
NJRAT.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a319f91b31a91d1c47b040e22bd78fcd.exe NJRAT.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a319f91b31a91d1c47b040e22bd78fcd.exe NJRAT.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NJRAT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a319f91b31a91d1c47b040e22bd78fcd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NJRAT.exe\" .." NJRAT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a319f91b31a91d1c47b040e22bd78fcd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NJRAT.exe\" .." NJRAT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
NJRAT.exedescription pid process Token: SeDebugPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe Token: 33 3376 NJRAT.exe Token: SeIncBasePriorityPrivilege 3376 NJRAT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exeNJRAT.exedescription pid process target process PID 2824 wrote to memory of 3376 2824 1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe NJRAT.exe PID 2824 wrote to memory of 3376 2824 1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe NJRAT.exe PID 2824 wrote to memory of 3376 2824 1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe NJRAT.exe PID 3376 wrote to memory of 3172 3376 NJRAT.exe netsh.exe PID 3376 wrote to memory of 3172 3376 NJRAT.exe netsh.exe PID 3376 wrote to memory of 3172 3376 NJRAT.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe"C:\Users\Admin\AppData\Local\Temp\1c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NJRAT.exe"C:\Users\Admin\AppData\Local\Temp\NJRAT.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\NJRAT.exe" "NJRAT.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NJRAT.exeFilesize
132KB
MD57a5141d5681b79d64e8b0c7a19785881
SHA1c85ee9fd78fce19b5418bd1a65b5697ccf0d0217
SHA2561c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202
SHA5122ae457093a18d3427804f36b21377e5f2fc5529a4e00e74b97ef106fae4783247c7b97b02808b089baeb5bda6252fca4cdf72ef66141f6269ceb97b1cbf6a321
-
C:\Users\Admin\AppData\Local\Temp\NJRAT.exeFilesize
132KB
MD57a5141d5681b79d64e8b0c7a19785881
SHA1c85ee9fd78fce19b5418bd1a65b5697ccf0d0217
SHA2561c77c5ee1ca58fcc263739ebb1912fd5ef3f234960123132695646f793e9c202
SHA5122ae457093a18d3427804f36b21377e5f2fc5529a4e00e74b97ef106fae4783247c7b97b02808b089baeb5bda6252fca4cdf72ef66141f6269ceb97b1cbf6a321
-
memory/2824-130-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/2824-134-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/3172-136-0x0000000000000000-mapping.dmp
-
memory/3376-131-0x0000000000000000-mapping.dmp
-
memory/3376-135-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/3376-137-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB