njrat | e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15

General

Target

255e87bd4a3dcd9a9029d28789618f55.exe
Size

23KB
MD5

255e87bd4a3dcd9a9029d28789618f55
SHA1

bfe289ecba86b3685be8092110deb54556824e6f
SHA256

e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15
SHA512

6e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa
SSDEEP

384:n8aY1ia0N/IH+WUiWiLcXyUTly2Rc87po6ngB8W+tqlf5mRvR6JZlbw8hqIusZzM:m1Re/E+WUiW6ci6NR7tZRpcnut

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

51.68.160.90:5552

Mutex

e1c9d16af5e1738b14f272c73a4cddae

Attributes

reg_key
e1c9d16af5e1738b14f272c73a4cddae
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Host Process for Windows Tasks.exe

pid process

2800 Host Process for Windows Tasks.exe

pid	process
2800	Host Process for Windows Tasks.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

255e87bd4a3dcd9a9029d28789618f55.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	255e87bd4a3dcd9a9029d28789618f55.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

dw20.exe

description	pid	process
Token: SeRestorePrivilege	4808	dw20.exe
Token: SeBackupPrivilege	4808	dw20.exe
Token: SeBackupPrivilege	4808	dw20.exe
Token: SeBackupPrivilege	4808	dw20.exe
Token: SeBackupPrivilege	4808	dw20.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

255e87bd4a3dcd9a9029d28789618f55.exeHost Process for Windows Tasks.exe

description	pid	process	target process
PID 2056 wrote to memory of 2800	2056	255e87bd4a3dcd9a9029d28789618f55.exe	Host Process for Windows Tasks.exe
PID 2056 wrote to memory of 2800	2056	255e87bd4a3dcd9a9029d28789618f55.exe	Host Process for Windows Tasks.exe
PID 2056 wrote to memory of 2800	2056	255e87bd4a3dcd9a9029d28789618f55.exe	Host Process for Windows Tasks.exe
PID 2800 wrote to memory of 4808	2800	Host Process for Windows Tasks.exe	dw20.exe
PID 2800 wrote to memory of 4808	2800	Host Process for Windows Tasks.exe	dw20.exe
PID 2800 wrote to memory of 4808	2800	Host Process for Windows Tasks.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\255e87bd4a3dcd9a9029d28789618f55.exe
"C:\Users\Admin\AppData\Local\Temp\255e87bd4a3dcd9a9029d28789618f55.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe
"C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 784
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe
Filesize
23KB

MD5
255e87bd4a3dcd9a9029d28789618f55

SHA1
bfe289ecba86b3685be8092110deb54556824e6f

SHA256
e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15

SHA512
6e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa

Download Submit
C:\Users\Admin\AppData\Roaming\Host Process for Windows Tasks.exe
Filesize
23KB

MD5
255e87bd4a3dcd9a9029d28789618f55

SHA1
bfe289ecba86b3685be8092110deb54556824e6f

SHA256
e82555397d481c3f94c3e573022868bc323d5d3b6cc4af88eb7eff6e41711a15

SHA512
6e8d9fc3739e735379532faf386564ccce399c168040570e4520f3922214e4e600b794b583ed522b4f7fdd4c81ce02b602980c7a89291ecbb4e07567d8d834aa

Download Submit
memory/2056-132-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2056-133-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2056-139-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2800-134-0x0000000000000000-mapping.dmp

Download
memory/2800-138-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4808-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads