njrat | 5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692

General

Target

5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe
Size

23KB
MD5

0e634348ed64f9f053d9271926975f99
SHA1

162c7587da2f4f04ec68dfada490c23df9efff64
SHA256

5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692
SHA512

50ab9bd7e16f5997dca00210bc4043a6587c34d73539a8ccb7d5ad9eb06f727557e32190904c7be16c4cb1a34feff176a169ea549895dd9da8e8c50c03e03a7e

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

ttufuck.ddns.net:5552

Mutex

4a026f3b3fefea60c2d615d18f3e8f79

Attributes

reg_key
4a026f3b3fefea60c2d615d18f3e8f79
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

microsoft center.exe

pid process

1404 microsoft center.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

812 netsh.exe

pid	process
1404	microsoft center.exe

pid	process
812	netsh.exe

Drops startup file 2 IoCs

Processes:

microsoft center.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a026f3b3fefea60c2d615d18f3e8f79.exe	microsoft center.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a026f3b3fefea60c2d615d18f3e8f79.exe	microsoft center.exe

Loads dropped DLL 1 IoCs

Processes:

5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe

pid process

888 5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe

pid	process
888	5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

microsoft center.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a026f3b3fefea60c2d615d18f3e8f79 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\microsoft center.exe\" .."	microsoft center.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4a026f3b3fefea60c2d615d18f3e8f79 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\microsoft center.exe\" .."	microsoft center.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

microsoft center.exe

description	pid	process
Token: SeDebugPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe
Token: 33	1404	microsoft center.exe
Token: SeIncBasePriorityPrivilege	1404	microsoft center.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exemicrosoft center.exe

description	pid	process	target process
PID 888 wrote to memory of 1404	888	5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe	microsoft center.exe
PID 888 wrote to memory of 1404	888	5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe	microsoft center.exe
PID 888 wrote to memory of 1404	888	5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe	microsoft center.exe
PID 888 wrote to memory of 1404	888	5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe	microsoft center.exe
PID 1404 wrote to memory of 812	1404	microsoft center.exe	netsh.exe
PID 1404 wrote to memory of 812	1404	microsoft center.exe	netsh.exe
PID 1404 wrote to memory of 812	1404	microsoft center.exe	netsh.exe
PID 1404 wrote to memory of 812	1404	microsoft center.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe
"C:\Users\Admin\AppData\Local\Temp\5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\microsoft center.exe
  "C:\Users\Admin\AppData\Local\Temp\microsoft center.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\microsoft center.exe" "microsoft center.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\microsoft center.exe

Filesize
23KB

MD5
0e634348ed64f9f053d9271926975f99

SHA1
162c7587da2f4f04ec68dfada490c23df9efff64

SHA256
5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692

SHA512
50ab9bd7e16f5997dca00210bc4043a6587c34d73539a8ccb7d5ad9eb06f727557e32190904c7be16c4cb1a34feff176a169ea549895dd9da8e8c50c03e03a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft center.exe

Filesize
23KB

MD5
0e634348ed64f9f053d9271926975f99

SHA1
162c7587da2f4f04ec68dfada490c23df9efff64

SHA256
5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692

SHA512
50ab9bd7e16f5997dca00210bc4043a6587c34d73539a8ccb7d5ad9eb06f727557e32190904c7be16c4cb1a34feff176a169ea549895dd9da8e8c50c03e03a7e

Download Submit
\Users\Admin\AppData\Local\Temp\microsoft center.exe

Filesize
23KB

MD5
0e634348ed64f9f053d9271926975f99

SHA1
162c7587da2f4f04ec68dfada490c23df9efff64

SHA256
5207c90533759690decf146053496e4a652cac1e232e777d20988c9b378bb692

SHA512
50ab9bd7e16f5997dca00210bc4043a6587c34d73539a8ccb7d5ad9eb06f727557e32190904c7be16c4cb1a34feff176a169ea549895dd9da8e8c50c03e03a7e

Download Submit
memory/812-64-0x0000000000000000-mapping.dmp

Download
memory/888-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/888-55-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/888-56-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/888-62-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1404-58-0x0000000000000000-mapping.dmp

Download
memory/1404-63-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1404-66-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads