njrat | ab848665d099cb50c939e27c37c04c009f66e21af789a15d2b96765dca832502

General

Target

Server2.ps1
Size

612KB
MD5

6bc00b50a62e3f2160b9edf1cb1cce8e
SHA1

1381fac090dcc9a5635e3e0ae4c6693f726c4dd5
SHA256

4ca62a1c904c5a12aac80ea69f09c4ba439a0eb786d23d384f76f42c32f0063c
SHA512

571b564613e8c6f72a951cbcafa5e5caf9043cb7fffa97f474c80e2bb50f9db281cdd4608c0bcb1a64ce15723f82af78290e76fb9bd50eb36fce7126fe9d1479

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	3484	POWERSHELL.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1188 netsh.exe

pid	process
1188	netsh.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1528 set thread context of 1348 1528 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 1528 set thread context of 1348	1528	powershell.exe	aspnet_compiler.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

848 reg.exe
4072 reg.exe

pid	process
848	reg.exe
4072	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exe

pid	process
4180	powershell.exe
4180	powershell.exe
3984	powershell.exe
3984	powershell.exe
3752	POWERSHELL.exe
3752	POWERSHELL.exe
1528	powershell.exe
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3752	POWERSHELL.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 4180 wrote to memory of 3984	4180	powershell.exe	powershell.exe
PID 4180 wrote to memory of 3984	4180	powershell.exe	powershell.exe
PID 3984 wrote to memory of 1364	3984	powershell.exe	WScript.exe
PID 3984 wrote to memory of 1364	3984	powershell.exe	WScript.exe
PID 3752 wrote to memory of 4300	3752	POWERSHELL.exe	cmd.exe
PID 3752 wrote to memory of 4300	3752	POWERSHELL.exe	cmd.exe
PID 4300 wrote to memory of 848	4300	cmd.exe	reg.exe
PID 4300 wrote to memory of 848	4300	cmd.exe	reg.exe
PID 4300 wrote to memory of 4072	4300	cmd.exe	reg.exe
PID 4300 wrote to memory of 4072	4300	cmd.exe	reg.exe
PID 4300 wrote to memory of 2280	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 2280	4300	cmd.exe	cmd.exe
PID 2280 wrote to memory of 1528	2280	cmd.exe	powershell.exe
PID 2280 wrote to memory of 1528	2280	cmd.exe	powershell.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1528 wrote to memory of 1348	1528	powershell.exe	aspnet_compiler.exe
PID 1348 wrote to memory of 1188	1348	aspnet_compiler.exe	netsh.exe
PID 1348 wrote to memory of 1188	1348	aspnet_compiler.exe	netsh.exe
PID 1348 wrote to memory of 1188	1348	aspnet_compiler.exe	netsh.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Server2.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"
3⤵
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:848

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:4072

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat
Filesize
706B

MD5
6a90128893777a59d404d46d3e967104

SHA1
e2b70c13764f2f61aa8503999670542237046bc4

SHA256
b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319

SHA512
5e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c

Download Submit
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1
Filesize
3KB

MD5
43864d67842266f76a91dc4aee7338c7

SHA1
022259ecb6970f6790c329e36b94402ba815b5e0

SHA256
c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf

SHA512
32bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980

Download Submit
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs
Filesize
1KB

MD5
d6a5f499f7164e0d61a5b8a0b4900fba

SHA1
054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9

SHA256
5b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44

SHA512
2129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2

Download Submit
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1
Filesize
604KB

MD5
ab1fce3ab2f6f211da8f8dc30c2b3060

SHA1
ae0dff660b20f9209a66029d44b048a63cc80336

SHA256
7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

SHA512
ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2247453c28acd1eb75cfe181540458a8

SHA1
851fc5a9950d422d76163fdc6a453d6859d56660

SHA256
358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

SHA512
42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f87b0558f50792e4684d92fb3d271c24

SHA1
e745842dfeec7403c04a660ad6a2f2231ba605bb

SHA256
61d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192

SHA512
56275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
memory/848-140-0x0000000000000000-mapping.dmp

Download
memory/1188-160-0x0000000000000000-mapping.dmp

Download
memory/1348-159-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/1348-157-0x0000000004E40000-0x0000000004EDC000-memory.dmp

Filesize
624KB

Download
memory/1348-158-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/1348-161-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/1348-151-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1348-152-0x000000000040BBBE-mapping.dmp

Download
memory/1348-162-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

Filesize
40KB

Download
memory/1364-136-0x0000000000000000-mapping.dmp

Download
memory/1528-154-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/1528-143-0x0000000000000000-mapping.dmp

Download
memory/1528-146-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/2280-142-0x0000000000000000-mapping.dmp

Download
memory/3752-145-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3752-156-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3984-147-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3984-134-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/3984-133-0x0000000000000000-mapping.dmp

Download
memory/4072-141-0x0000000000000000-mapping.dmp

Download
memory/4180-130-0x000001C5AE6F0000-0x000001C5AE712000-memory.dmp

Filesize
136KB

Download
memory/4180-150-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4180-132-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4180-131-0x00007FFDE8060000-0x00007FFDE8B21000-memory.dmp

Filesize
10.8MB

Download
memory/4300-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads