njrat | 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

General

Target

61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe
Size

23KB
MD5

20790f1a5c5557ef801926d7ce1e4498
SHA1

936eae636323d512932d84a45a930626a684b2a9
SHA256

61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d
SHA512

9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

na33waaf.no-ip.biz:2485

Mutex

efb8374654449498f987b4a0e64f2f90

Attributes

reg_key
efb8374654449498f987b4a0e64f2f90
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

updaate.exe

pid process

1916 updaate.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

900 netsh.exe

pid	process
1916	updaate.exe

pid	process
900	netsh.exe

Drops startup file 2 IoCs

Processes:

updaate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efb8374654449498f987b4a0e64f2f90.exe	updaate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efb8374654449498f987b4a0e64f2f90.exe	updaate.exe

Loads dropped DLL 1 IoCs

Processes:

61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe

pid process

1732 61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe

pid	process
1732	61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

updaate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\efb8374654449498f987b4a0e64f2f90 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\updaate.exe\" .."	updaate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efb8374654449498f987b4a0e64f2f90 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\updaate.exe\" .."	updaate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

updaate.exe

description	pid	process
Token: SeDebugPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe
Token: 33	1916	updaate.exe
Token: SeIncBasePriorityPrivilege	1916	updaate.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exeupdaate.exe

description	pid	process	target process
PID 1732 wrote to memory of 1916	1732	61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe	updaate.exe
PID 1732 wrote to memory of 1916	1732	61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe	updaate.exe
PID 1732 wrote to memory of 1916	1732	61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe	updaate.exe
PID 1732 wrote to memory of 1916	1732	61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe	updaate.exe
PID 1916 wrote to memory of 900	1916	updaate.exe	netsh.exe
PID 1916 wrote to memory of 900	1916	updaate.exe	netsh.exe
PID 1916 wrote to memory of 900	1916	updaate.exe	netsh.exe
PID 1916 wrote to memory of 900	1916	updaate.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe
"C:\Users\Admin\AppData\Local\Temp\61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\updaate.exe
"C:\Users\Admin\AppData\Local\Temp\updaate.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\updaate.exe" "updaate.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updaate.exe
Filesize
23KB

MD5
20790f1a5c5557ef801926d7ce1e4498

SHA1
936eae636323d512932d84a45a930626a684b2a9

SHA256
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

SHA512
9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b

Download Submit
C:\Users\Admin\AppData\Local\Temp\updaate.exe
Filesize
23KB

MD5
20790f1a5c5557ef801926d7ce1e4498

SHA1
936eae636323d512932d84a45a930626a684b2a9

SHA256
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

SHA512
9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b

Download Submit
\Users\Admin\AppData\Local\Temp\updaate.exe
Filesize
23KB

MD5
20790f1a5c5557ef801926d7ce1e4498

SHA1
936eae636323d512932d84a45a930626a684b2a9

SHA256
61d73267fc1c8be1fca9846fcff4ed7ffa4cb6271fa6a1060265f37eeeda188d

SHA512
9d97b1a246aa6bfd0d86185c88d0095391361e902b9a18a5b63045832597283ca865a86dc70f841bb6e608aed6c29f845f594926005f297cb3d36863c027338b

Download Submit
memory/900-64-0x0000000000000000-mapping.dmp

Download
memory/1732-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1732-55-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-56-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-62-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-58-0x0000000000000000-mapping.dmp

Download
memory/1916-63-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-66-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads