njrat | 5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2022 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000a0000000122f5-56.exe
Size

23KB
MD5

ffa4d67e73388d5573b9e55a029800ab
SHA1

929760e8f38433556280bc348609273e1d2d25e1
SHA256

5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512

e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
SSDEEP

384:2sqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZNHhy:Bf65K2Yf1jKRpcnumo

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

0.tcp.ngrok.io:17413

Mutex

ed0dbeeaea86b7db8fabde04117ddf70

Attributes

reg_key
ed0dbeeaea86b7db8fabde04117ddf70
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1104 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1272 netsh.exe

pid	process
1104	server.exe

pid	process
1272	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x000a0000000122f5-56.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0x000a0000000122f5-56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe
Token: 33	1104	server.exe
Token: SeIncBasePriorityPrivilege	1104	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0x000a0000000122f5-56.exeserver.exe

description	pid	process	target process
PID 3424 wrote to memory of 1104	3424	0x000a0000000122f5-56.exe	server.exe
PID 3424 wrote to memory of 1104	3424	0x000a0000000122f5-56.exe	server.exe
PID 3424 wrote to memory of 1104	3424	0x000a0000000122f5-56.exe	server.exe
PID 1104 wrote to memory of 1272	1104	server.exe	netsh.exe
PID 1104 wrote to memory of 1272	1104	server.exe	netsh.exe
PID 1104 wrote to memory of 1272	1104	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
ffa4d67e73388d5573b9e55a029800ab

SHA1
929760e8f38433556280bc348609273e1d2d25e1

SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
ffa4d67e73388d5573b9e55a029800ab

SHA1
929760e8f38433556280bc348609273e1d2d25e1

SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c

Download Submit
memory/1104-133-0x0000000000000000-mapping.dmp

Download
memory/1104-137-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/1104-139-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/1272-138-0x0000000000000000-mapping.dmp

Download
memory/3424-132-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-136-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download