njrat | 9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-07-2022 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
Size

13.2MB
MD5

c00c09e7fa52bc19bd425d71e78ff4cb
SHA1

2cd1a7130a03d4056454733b62e4667a08451262
SHA256

9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b
SHA512

8d18238fe7c906ddd155b8af3a0d32604aeafaf352ab1947a07f273168740c5971083b157c7e21b74125a7e42d8684db5daba2cb3bc4971ca92f20949828a9d5

Score

10^/10

njrat system persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

System

2.tcp.ngrok.io:13817

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

paylod.exeremcos.exeSystem.exe

pid process

828 paylod.exe
1724 remcos.exe
960 System.exe

pid	process
828	paylod.exe
1724	remcos.exe
960	System.exe

Drops startup file 2 IoCs

Processes:

paylod.exeSystem.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	System.exe

Loads dropped DLL 5 IoCs

Processes:

9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exepaylod.exe

pid	process
1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
828	paylod.exe
828	paylod.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System.exepaylod.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\System.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

remcos.exe

pid process

1724 remcos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

remcos.exe

pid process

1724 remcos.exe
1724 remcos.exe

pid	process
1724	remcos.exe

pid	process
1724	remcos.exe
1724	remcos.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

System.exe

description	pid	process
Token: SeDebugPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe
Token: 33	960	System.exe
Token: SeIncBasePriorityPrivilege	960	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1724 remcos.exe

pid	process
1724	remcos.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exepaylod.exe

description	pid	process	target process
PID 1860 wrote to memory of 828	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 1860 wrote to memory of 828	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 1860 wrote to memory of 828	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 1860 wrote to memory of 828	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 1860 wrote to memory of 1724	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 1860 wrote to memory of 1724	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 1860 wrote to memory of 1724	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 1860 wrote to memory of 1724	1860	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 828 wrote to memory of 960	828	paylod.exe	System.exe
PID 828 wrote to memory of 960	828	paylod.exe	System.exe
PID 828 wrote to memory of 960	828	paylod.exe	System.exe
PID 828 wrote to memory of 960	828	paylod.exe	System.exe
PID 828 wrote to memory of 1756	828	paylod.exe	attrib.exe
PID 828 wrote to memory of 1756	828	paylod.exe	attrib.exe
PID 828 wrote to memory of 1756	828	paylod.exe	attrib.exe
PID 828 wrote to memory of 1756	828	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1756 attrib.exe

pid	process
1756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
"C:\Users\Admin\AppData\Local\Temp\9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\ProgramData\System.exe"
3⤵
- Views/modifies file attributes
PID:1756

C:\Users\Admin\AppData\Local\Temp\remcos.exe
"C:\Users\Admin\AppData\Local\Temp\remcos.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
55d448ccd249a3192ba1c5b8639a60d4

SHA1
7161b3bf3e8dd3fa8eee9d20ecaef52765527574

SHA256
21a49777f17cb7ccc9b66dee08de46822d122f5b6e9fe1c37484b3b0b2959357

SHA512
712d0cc57bb5ae3af3b7b85a94beb6c5e89c39df293b9b7a6c5b3123f834724806a31b5c4ab3c70ad0bb276247aaead491af3fcf5b51fa6e795fa3587ea57b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1018B

MD5
398c1a0398faf422bcb039f638ab4758

SHA1
18e57f6c4644b8089cdac84cae7d88c18c572a11

SHA256
c9979bf6a52fdd7bb18c680f730037bdbe59ab2db0a9d2f588e2aecf748854f4

SHA512
98c9438c75f6e48a22beafb595241e65930a9555cebf50be79389a77c197e303e9a6c1ed6b48b579555fc9826c6b689a0b340bf967e333af7976650e9ff5e4af

Download Submit
\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
memory/828-58-0x0000000000000000-mapping.dmp

Download
memory/828-80-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/828-65-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/960-83-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/960-75-0x0000000000000000-mapping.dmp

Download
memory/960-85-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-71-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/1724-72-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/1724-69-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/1724-63-0x0000000000000000-mapping.dmp

Download
memory/1724-84-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/1756-79-0x0000000000000000-mapping.dmp

Download
memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1860-67-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-55-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download