njrat | 82e3a01167feaeda8f7257e9bf875ab05a5bf4a26c31fcb2bb34e204ac6734df

General

Target

Server.ps1
Size

612KB
MD5

97c12ecc7e95b2e262e91bf5aa591887
SHA1

007fcf42f768b48d568716f8fd816ed632fda354
SHA256

a4431f4c7fdfe445129cce301c59e05d5cc4b1b33aad3341d18308c46efb1024
SHA512

8329cb6798514fb010bcb20934b87fc7cda9b5342749a1de7b9be4d894db4ecba46e600847e7c4dadb9d1a61a1ee501da177b06b39533dbfe7d6671181bae5b0

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 1496 POWERSHELL.exe
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4548 netsh.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1496	POWERSHELL.exe

pid	process
4548	netsh.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1576 set thread context of 4408 1576 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 1576 set thread context of 4408	1576	powershell.exe	aspnet_compiler.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1908 reg.exe
2056 reg.exe

pid	process
1908	reg.exe
2056	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exe

pid	process
1532	powershell.exe
1532	powershell.exe
2836	powershell.exe
2836	powershell.exe
972	POWERSHELL.exe
972	POWERSHELL.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	972	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe
Token: 36	2836	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe
Token: 36	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 1532 wrote to memory of 2836	1532	powershell.exe	powershell.exe
PID 1532 wrote to memory of 2836	1532	powershell.exe	powershell.exe
PID 2836 wrote to memory of 3840	2836	powershell.exe	WScript.exe
PID 2836 wrote to memory of 3840	2836	powershell.exe	WScript.exe
PID 972 wrote to memory of 2980	972	POWERSHELL.exe	cmd.exe
PID 972 wrote to memory of 2980	972	POWERSHELL.exe	cmd.exe
PID 2980 wrote to memory of 1908	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 1908	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 2056	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 2056	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 1796	2980	cmd.exe	cmd.exe
PID 2980 wrote to memory of 1796	2980	cmd.exe	cmd.exe
PID 1796 wrote to memory of 1576	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 1576	1796	cmd.exe	powershell.exe
PID 1576 wrote to memory of 4400	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4400	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4400	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 1576 wrote to memory of 4408	1576	powershell.exe	aspnet_compiler.exe
PID 4408 wrote to memory of 4548	4408	aspnet_compiler.exe	netsh.exe
PID 4408 wrote to memory of 4548	4408	aspnet_compiler.exe	netsh.exe
PID 4408 wrote to memory of 4548	4408	aspnet_compiler.exe	netsh.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Server.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"
3⤵
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1908

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:2056

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1
Filesize
604KB

MD5
ab1fce3ab2f6f211da8f8dc30c2b3060

SHA1
ae0dff660b20f9209a66029d44b048a63cc80336

SHA256
7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

SHA512
ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
Filesize
706B

MD5
1a7a326391b638c03d76369946fc0052

SHA1
7ae0ffd77ec76b94d735265efad35ddd072cdf36

SHA256
0223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f

SHA512
449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1
Filesize
3KB

MD5
89879c7e1b80b9171b57ec7290c50cf8

SHA1
4d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3

SHA256
dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2

SHA512
d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs
Filesize
1KB

MD5
77d9ab54d90a588d38b4a402d7cf25bb

SHA1
f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6

SHA256
25f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4

SHA512
c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f87b0558f50792e4684d92fb3d271c24

SHA1
e745842dfeec7403c04a660ad6a2f2231ba605bb

SHA256
61d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192

SHA512
56275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
memory/972-156-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/972-145-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-132-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-130-0x00000297B2B80000-0x00000297B2BA2000-memory.dmp

Filesize
136KB

Download
memory/1532-131-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-150-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/1576-154-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/1576-143-0x0000000000000000-mapping.dmp

Download
memory/1576-146-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/1796-142-0x0000000000000000-mapping.dmp

Download
memory/1908-140-0x0000000000000000-mapping.dmp

Download
memory/2056-141-0x0000000000000000-mapping.dmp

Download
memory/2836-147-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/2836-133-0x0000000000000000-mapping.dmp

Download
memory/2836-137-0x00007FF842D30000-0x00007FF8437F1000-memory.dmp

Filesize
10.8MB

Download
memory/2980-138-0x0000000000000000-mapping.dmp

Download
memory/3840-135-0x0000000000000000-mapping.dmp

Download
memory/4408-152-0x000000000040BBBE-mapping.dmp

Download
memory/4408-151-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4408-157-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/4408-158-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/4408-159-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/4408-161-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/4408-162-0x0000000006170000-0x00000000061D6000-memory.dmp

Filesize
408KB

Download
memory/4548-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads