njrat | 92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20

General

Target

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
Size

2.0MB
MD5

cbd089fed817ad11f6ad3d2f9731e872
SHA1

138eeed3bbce9d86353e125f0022903ea419fe1a
SHA256

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20
SHA512

c979db0c2332c6c5e9474cc658194fe5a0726a6b310541bb053c72af32882e2acfa44c5609633b5e8008cef51a8a48ea69cf25570e2fb850f6602319dfed5b50

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe\""	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Drops startup file 2 IoCs

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe"	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe"	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	pid	process	target process
PID 4480 set thread context of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2576 OpenWith.exe

pid	process
2576	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

description	pid	process	target process
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
PID 4480 wrote to memory of 3964	4480	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe	92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe

C:\Users\Admin\AppData\Local\Temp\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
"C:\Users\Admin\AppData\Local\Temp\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe"
1⤵
- Modifies WinLogon for persistence
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe
"C:\Users\Admin\AppData\Local\Temp\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe"
2⤵
- Modifies registry class
PID:3964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\92ec9a0eaccf10c69c6ecb89398669105ec4fa4c8b7172579381ba586746ec20.exe.log
Filesize
1KB

MD5
78de7805f6690cabfbd1de459db6d114

SHA1
e2065ffecf5377d717440fd592c3d1d8320b1d4d

SHA256
f008a1bbc9a8ab34149baf444cb8bf55875459f51cb7fe48dc525c232ffca22f

SHA512
8e70d184275521518c61e293d1b71ab298c193aad9e4e486846e202b8f0cd54879f3c3252da11119fc60e5b3069906c6f446af662a3918cbd6d602f9aed759a2

Download Submit
memory/3964-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-414-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/3964-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-134-0x0000000000000000-mapping.dmp

Download
memory/3964-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-141-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-147-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-149-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-151-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-155-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-157-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-159-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-197-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-195-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-173-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-175-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-179-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-181-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-183-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-185-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-187-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-189-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-191-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-193-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4480-132-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-130-0x0000000000C70000-0x0000000000E70000-memory.dmp

Filesize
2.0MB

Download
memory/4480-133-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/4480-131-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads