njrat | 3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
Size

3.8MB
MD5

4252f2ca6c16c3406294894a496714bb
SHA1

549d7f01ab15ba44b77bcb4601929b19efe21619
SHA256

3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d
SHA512

8db3820e025871a8e410ab5ccde92526fc31c1095e06757e9efd697aa0289e4199a9384b4006fe5f4026a02222a34c43cb893e3e030ab1e6cdf757f1a9c4760d

Score

10^/10

njrat sentry evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Sentry

connertyler58.ddns.net:5537

Mutex

bee015c03df24a72bb52e5f747515b7e

Attributes

reg_key
bee015c03df24a72bb52e5f747515b7e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

Sentry Mba.exeSentry_MBA.exeServe.exeSentry.exe

pid process

980 Sentry Mba.exe
1600 Sentry_MBA.exe
1684 Serve.exe
1664 Sentry.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

968 netsh.exe

pid	process
980	Sentry Mba.exe
1600	Sentry_MBA.exe
1684	Serve.exe
1664	Sentry.exe

pid	process
968	netsh.exe

Drops startup file 4 IoCs

Processes:

Sentry.exeSentry Mba.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bee015c03df24a72bb52e5f747515b7e.exe	Sentry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serve.exe	Sentry Mba.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serve.exe	Sentry Mba.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bee015c03df24a72bb52e5f747515b7e.exe	Sentry.exe

Loads dropped DLL 8 IoCs

Processes:

3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exeSentry Mba.exeServe.exe

pid	process
1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
980	Sentry Mba.exe
980	Sentry Mba.exe
980	Sentry Mba.exe
1684	Serve.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sentry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\bee015c03df24a72bb52e5f747515b7e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sentry.exe\" .."	Sentry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bee015c03df24a72bb52e5f747515b7e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Sentry.exe\" .."	Sentry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 checkip.dyndns.org

flow	ioc
1	checkip.dyndns.org

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Sentry_MBA.exeSentry.exe

description	pid	process
Token: 33	1600	Sentry_MBA.exe
Token: SeIncBasePriorityPrivilege	1600	Sentry_MBA.exe
Token: SeDebugPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe
Token: 33	1664	Sentry.exe
Token: SeIncBasePriorityPrivilege	1664	Sentry.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exeSentry Mba.exeServe.exeSentry.exe

description	pid	process	target process
PID 1280 wrote to memory of 980	1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe	Sentry Mba.exe
PID 1280 wrote to memory of 980	1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe	Sentry Mba.exe
PID 1280 wrote to memory of 980	1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe	Sentry Mba.exe
PID 1280 wrote to memory of 980	1280	3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe	Sentry Mba.exe
PID 980 wrote to memory of 1600	980	Sentry Mba.exe	Sentry_MBA.exe
PID 980 wrote to memory of 1600	980	Sentry Mba.exe	Sentry_MBA.exe
PID 980 wrote to memory of 1600	980	Sentry Mba.exe	Sentry_MBA.exe
PID 980 wrote to memory of 1600	980	Sentry Mba.exe	Sentry_MBA.exe
PID 980 wrote to memory of 1684	980	Sentry Mba.exe	Serve.exe
PID 980 wrote to memory of 1684	980	Sentry Mba.exe	Serve.exe
PID 980 wrote to memory of 1684	980	Sentry Mba.exe	Serve.exe
PID 980 wrote to memory of 1684	980	Sentry Mba.exe	Serve.exe
PID 1684 wrote to memory of 1664	1684	Serve.exe	Sentry.exe
PID 1684 wrote to memory of 1664	1684	Serve.exe	Sentry.exe
PID 1684 wrote to memory of 1664	1684	Serve.exe	Sentry.exe
PID 1684 wrote to memory of 1664	1684	Serve.exe	Sentry.exe
PID 1664 wrote to memory of 968	1664	Sentry.exe	netsh.exe
PID 1664 wrote to memory of 968	1664	Sentry.exe	netsh.exe
PID 1664 wrote to memory of 968	1664	Sentry.exe	netsh.exe
PID 1664 wrote to memory of 968	1664	Sentry.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe
"C:\Users\Admin\AppData\Local\Temp\3834a5a4cbe48252ed7019596b4dd910c5c3d30b527b94c34798dbe8db95ee3d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
"C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
C:\Users\Admin\AppData\Local\Temp/Sentry_MBA.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\Serve.exe
C:\Users\Admin\AppData\Local\Temp/Serve.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\Sentry.exe
"C:\Users\Admin\AppData\Local\Temp\Sentry.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Sentry.exe" "Sentry.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
Filesize
4.0MB

MD5
1f2b981bfc803ac08b55f59528c3ce4e

SHA1
df106e0905f71f801e56947142c52d85e83b06e5

SHA256
208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

SHA512
e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
Filesize
4.0MB

MD5
1f2b981bfc803ac08b55f59528c3ce4e

SHA1
df106e0905f71f801e56947142c52d85e83b06e5

SHA256
208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

SHA512
e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sentry.exe
Filesize
23KB

MD5
1f0e83e8c080cba527f0681efcc85d59

SHA1
250a4f504db39447d76b3e86e8c29fdca51e5aaa

SHA256
12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

SHA512
3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sentry.exe
Filesize
23KB

MD5
1f0e83e8c080cba527f0681efcc85d59

SHA1
250a4f504db39447d76b3e86e8c29fdca51e5aaa

SHA256
12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

SHA512
3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
Filesize
5.3MB

MD5
8c1d28b620a6c5e5a9978a871dcfd04f

SHA1
274f59cf34efda4013a98147f2d3d8bcd198b467

SHA256
9a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb

SHA512
4718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serve.exe
Filesize
23KB

MD5
1f0e83e8c080cba527f0681efcc85d59

SHA1
250a4f504db39447d76b3e86e8c29fdca51e5aaa

SHA256
12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

SHA512
3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serve.exe
Filesize
23KB

MD5
1f0e83e8c080cba527f0681efcc85d59

SHA1
250a4f504db39447d76b3e86e8c29fdca51e5aaa

SHA256
12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

SHA512
3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
Filesize
4.0MB

MD5
1f2b981bfc803ac08b55f59528c3ce4e

SHA1
df106e0905f71f801e56947142c52d85e83b06e5

SHA256
208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

SHA512
e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
Filesize
4.0MB

MD5
1f2b981bfc803ac08b55f59528c3ce4e

SHA1
df106e0905f71f801e56947142c52d85e83b06e5

SHA256
208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

SHA512
e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
Filesize
4.0MB

MD5
1f2b981bfc803ac08b55f59528c3ce4e

SHA1
df106e0905f71f801e56947142c52d85e83b06e5

SHA256
208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

SHA512
e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry Mba.exe
Filesize
4.0MB

MD5
1f2b981bfc803ac08b55f59528c3ce4e

SHA1
df106e0905f71f801e56947142c52d85e83b06e5

SHA256
208e272faf3bdc617e21ddb65401cdb39b3fbafa20cfe27fd5a76286ab21469a

SHA512
e727df9dcc5cbfb0ceb282d52d0e6f9424d9fba2cfb1f383a86777c0fc3c728a21e0323ee4429da4ee73854f8dfd24d8feab9abb9107ec56a0a4bf8dfd88fc81

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry.exe
Filesize
23KB

MD5
1f0e83e8c080cba527f0681efcc85d59

SHA1
250a4f504db39447d76b3e86e8c29fdca51e5aaa

SHA256
12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

SHA512
3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
Filesize
5.3MB

MD5
8c1d28b620a6c5e5a9978a871dcfd04f

SHA1
274f59cf34efda4013a98147f2d3d8bcd198b467

SHA256
9a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb

SHA512
4718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f

Download Submit
\Users\Admin\AppData\Local\Temp\Sentry_MBA.exe
Filesize
5.3MB

MD5
8c1d28b620a6c5e5a9978a871dcfd04f

SHA1
274f59cf34efda4013a98147f2d3d8bcd198b467

SHA256
9a9a7ceffa44d417947d80b9ac68eb7cdf80d875e400be7ba7b3115714fa37fb

SHA512
4718208002ea1e084da167f123b59ef874355fd07e50f987ca3f547701a839d95d66f9be81f4839bfe7eaf32af87b6cb33d8f98d5151c10c2ef84bd3c5b6e48f

Download Submit
\Users\Admin\AppData\Local\Temp\Serve.exe
Filesize
23KB

MD5
1f0e83e8c080cba527f0681efcc85d59

SHA1
250a4f504db39447d76b3e86e8c29fdca51e5aaa

SHA256
12519b4c97068cd26911e4fb4b81f7f1f6693beb6c22e0257d3593c197c4c2c2

SHA512
3fcae50558aefd7064e1ba82442b4d9baeb718827349e9ab3ddf3c2e4e4686152ac957ea1e6c6feb9d699d7ffaeb507f97e95feec9fe2bdf658019d4fa166ea5

Download Submit
memory/968-81-0x0000000000000000-mapping.dmp

Download
memory/980-59-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1600-65-0x0000000000000000-mapping.dmp

Download
memory/1664-75-0x0000000000000000-mapping.dmp

Download
memory/1664-80-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-83-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-69-0x0000000000000000-mapping.dmp

Download
memory/1684-73-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-79-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download