njrat | 76de9acdc679b628b2982e417d9b9d3329841439f9ccfb70e4e11e162ec1eb68

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-08-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2944260deaa025272074f9a2ac84ffd7.exe
Size

347KB
MD5

2944260deaa025272074f9a2ac84ffd7
SHA1

18aa80fcd4efade56a68ce67a38f8e148d38e863
SHA256

76de9acdc679b628b2982e417d9b9d3329841439f9ccfb70e4e11e162ec1eb68
SHA512

84e15d0cef4d0a34fecb7238aa3e02c2ecd19e0e5beb1474d6c8cb74b40eaae3e097455b2e2a71a6ae02113192a67f52149231313a9e992a9c13c4da22366653
SSDEEP

6144:SiDdgU7fEMhpd2cBcr39lIKdK8RKzd+jAYLToFYAah+eCH5+Hn0Su34KB:1fEWpdPKrNlIKdK8RKwOXo+J4H0SQ

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

FRANSESCOC50Y3AuZXUubmdyb2suaW8Strik:MTU4OTA=

Mutex

0ec537396f8c89c665c6c857f7fa4b8a

Attributes

reg_key
0ec537396f8c89c665c6c857f7fa4b8a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Server.exeserver.exe

pid process

856 Server.exe
1492 server.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

320 netsh.exe
1948 netsh.exe
1108 netsh.exe
Loads dropped DLL 4 IoCs

Processes:

2944260deaa025272074f9a2ac84ffd7.exeServer.exe

pid process

976 2944260deaa025272074f9a2ac84ffd7.exe
976 2944260deaa025272074f9a2ac84ffd7.exe
856 Server.exe
856 Server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1492 server.exe

pid	process
856	Server.exe
1492	server.exe

pid	process
320	netsh.exe
1948	netsh.exe
1108	netsh.exe

pid	process
976	2944260deaa025272074f9a2ac84ffd7.exe
976	2944260deaa025272074f9a2ac84ffd7.exe
856	Server.exe
856	Server.exe

pid	process
1492	server.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe
Token: 33	1492	server.exe
Token: SeIncBasePriorityPrivilege	1492	server.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2944260deaa025272074f9a2ac84ffd7.exeServer.exeserver.exe

description	pid	process	target process
PID 976 wrote to memory of 856	976	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 976 wrote to memory of 856	976	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 976 wrote to memory of 856	976	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 976 wrote to memory of 856	976	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 856 wrote to memory of 1492	856	Server.exe	server.exe
PID 856 wrote to memory of 1492	856	Server.exe	server.exe
PID 856 wrote to memory of 1492	856	Server.exe	server.exe
PID 856 wrote to memory of 1492	856	Server.exe	server.exe
PID 1492 wrote to memory of 320	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 320	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 320	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 320	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1948	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1948	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1948	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1948	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1108	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1108	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1108	1492	server.exe	netsh.exe
PID 1492 wrote to memory of 1108	1492	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe
"C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:320

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Modifies Windows Firewall
PID:1948

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
b66e20886f9675fe4dbf430ea2d0bf8d

SHA1
2e676da72201e6e4482e00b300511900c6aee5a0

SHA256
899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414

SHA512
f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
memory/320-73-0x0000000000000000-mapping.dmp

Download
memory/856-63-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/856-70-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/856-58-0x0000000000000000-mapping.dmp

Download
memory/976-54-0x0000000075791000-0x0000000075793000-memory.dmp

Filesize
8KB

Download
memory/976-62-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/976-55-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1492-71-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-66-0x0000000000000000-mapping.dmp

Download
memory/1492-79-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-75-0x0000000000000000-mapping.dmp

Download