njrat | 6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

General

Target

VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
Size

111KB
MD5

88e469aebd9529524d4420e3bf7d4964
SHA1

d8e22b9746702e583b5307b1ed1ac2a0f250f31b
SHA256

6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6
SHA512

5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

Score

10^/10

njrat victime persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Victime

C2

algiriano.ddns.net:6000

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

WindowsUpdater.bat

pid process

1760 WindowsUpdater.bat

pid	process
1760	WindowsUpdater.bat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe

Drops startup file 2 IoCs

Processes:

VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exeWindowsUpdater.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	WindowsUpdater.bat

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exeWindowsUpdater.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUpdater.bat"	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	WindowsUpdater.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	WindowsUpdater.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	WindowsUpdater.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	WindowsUpdater.bat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

WindowsUpdater.bat

description	pid	process
Token: SeDebugPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat
Token: 33	1760	WindowsUpdater.bat
Token: SeIncBasePriorityPrivilege	1760	WindowsUpdater.bat

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exeWindowsUpdater.bat

description	pid	process	target process
PID 1480 wrote to memory of 1760	1480	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe	WindowsUpdater.bat
PID 1480 wrote to memory of 1760	1480	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe	WindowsUpdater.bat
PID 1480 wrote to memory of 1760	1480	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe	WindowsUpdater.bat
PID 1480 wrote to memory of 4352	1480	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe	attrib.exe
PID 1480 wrote to memory of 4352	1480	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe	attrib.exe
PID 1480 wrote to memory of 4352	1480	VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe	attrib.exe
PID 1760 wrote to memory of 3616	1760	WindowsUpdater.bat	attrib.exe
PID 1760 wrote to memory of 3616	1760	WindowsUpdater.bat	attrib.exe
PID 1760 wrote to memory of 3616	1760	WindowsUpdater.bat	attrib.exe
PID 1760 wrote to memory of 3592	1760	WindowsUpdater.bat	attrib.exe
PID 1760 wrote to memory of 3592	1760	WindowsUpdater.bat	attrib.exe
PID 1760 wrote to memory of 3592	1760	WindowsUpdater.bat	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4352 attrib.exe
3616 attrib.exe
3592 attrib.exe

pid	process
4352	attrib.exe
3616	attrib.exe
3592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe
"C:\Users\Admin\AppData\Local\Temp\VXUHEUR-Trojan.MSIL.Crypt.gen-6cd445a30c85396.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
3⤵
- Views/modifies file attributes
PID:3616

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
3⤵
- Views/modifies file attributes
PID:3592

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat"
2⤵
- Views/modifies file attributes
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
Filesize
111KB

MD5
88e469aebd9529524d4420e3bf7d4964

SHA1
d8e22b9746702e583b5307b1ed1ac2a0f250f31b

SHA256
6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

SHA512
5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.bat
Filesize
111KB

MD5
88e469aebd9529524d4420e3bf7d4964

SHA1
d8e22b9746702e583b5307b1ed1ac2a0f250f31b

SHA256
6cd445a30c853960af9d9ce87a23bf57b22cb494a5c9fe216b2afb296f0654d6

SHA512
5977c2755f82ab31375bd0ca99a8ef29d2eabc0a52b62dea40eacc80834250a626293fe017ea3adc5703157760438c5f535475a61b2bfe27a7d4576dfb6ed434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
c87a0c01932e2b874bc3b392253a663a

SHA1
51422af62636aaaedfccbe8e4f49ffc027a90989

SHA256
8a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c

SHA512
ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
586210e5f1de944d08dd141fcadd408a

SHA1
0b539a283bfe6c23839a5c44f668af3ae205288d

SHA256
90a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742

SHA512
4a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6

Download Submit
memory/1480-132-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1480-138-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1760-133-0x0000000000000000-mapping.dmp

Download
memory/1760-140-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1760-143-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-142-0x0000000000000000-mapping.dmp

Download
memory/3616-141-0x0000000000000000-mapping.dmp

Download
memory/4352-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads