njrat | 0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed

General

Target

13715a69c1f82961fa3d3205b9368c83.exe
Size

27KB
MD5

13715a69c1f82961fa3d3205b9368c83
SHA1

3b15a0c5fb6a177e12b3de81c7fc30dfda58555a
SHA256

0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed
SHA512

f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba
SSDEEP

384:5L96uj/+AU9038hfOexuaP39hRnMZAQk93vmhm7UMKmIEecKdbXTzm9bVhcam671:JE0mkspJtyZA/vMHTi9bD

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:12633

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

4320 Payload.exe

pid	process
4320	Payload.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13715a69c1f82961fa3d3205b9368c83.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	13715a69c1f82961fa3d3205b9368c83.exe

Drops startup file 4 IoCs

Processes:

Payload.exe13715a69c1f82961fa3d3205b9368c83.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	13715a69c1f82961fa3d3205b9368c83.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13715a69c1f82961fa3d3205b9368c83.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	13715a69c1f82961fa3d3205b9368c83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe
Token: 33	4320	Payload.exe
Token: SeIncBasePriorityPrivilege	4320	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

13715a69c1f82961fa3d3205b9368c83.exe

description	pid	process	target process
PID 2472 wrote to memory of 4320	2472	13715a69c1f82961fa3d3205b9368c83.exe	Payload.exe
PID 2472 wrote to memory of 4320	2472	13715a69c1f82961fa3d3205b9368c83.exe	Payload.exe
PID 2472 wrote to memory of 4320	2472	13715a69c1f82961fa3d3205b9368c83.exe	Payload.exe
PID 2472 wrote to memory of 388	2472	13715a69c1f82961fa3d3205b9368c83.exe	attrib.exe
PID 2472 wrote to memory of 388	2472	13715a69c1f82961fa3d3205b9368c83.exe	attrib.exe
PID 2472 wrote to memory of 388	2472	13715a69c1f82961fa3d3205b9368c83.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

388 attrib.exe

pid	process
388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe
"C:\Users\Admin\AppData\Local\Temp\13715a69c1f82961fa3d3205b9368c83.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Views/modifies file attributes
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
27KB

MD5
13715a69c1f82961fa3d3205b9368c83

SHA1
3b15a0c5fb6a177e12b3de81c7fc30dfda58555a

SHA256
0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed

SHA512
f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
27KB

MD5
13715a69c1f82961fa3d3205b9368c83

SHA1
3b15a0c5fb6a177e12b3de81c7fc30dfda58555a

SHA256
0fb86bb905fdc56eef57831ecfcc866a5e55c482462657353a4edfb29c1142ed

SHA512
f180167942c5f2be95cf8c5089209459ed4a43c7e4270ee8129f7e261c82a52f1d34455fcc79dd920c6c7c8b04c4b9bdc8b323e5e224de414659559b04d99cba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
c87a0c01932e2b874bc3b392253a663a

SHA1
51422af62636aaaedfccbe8e4f49ffc027a90989

SHA256
8a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c

SHA512
ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
586210e5f1de944d08dd141fcadd408a

SHA1
0b539a283bfe6c23839a5c44f668af3ae205288d

SHA256
90a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742

SHA512
4a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6

Download Submit
memory/388-137-0x0000000000000000-mapping.dmp

Download
memory/2472-132-0x00000000752E0000-0x0000000075891000-memory.dmp

Filesize
5.7MB

Download
memory/2472-133-0x00000000752E0000-0x0000000075891000-memory.dmp

Filesize
5.7MB

Download
memory/2472-139-0x00000000752E0000-0x0000000075891000-memory.dmp

Filesize
5.7MB

Download
memory/4320-134-0x0000000000000000-mapping.dmp

Download
memory/4320-141-0x00000000752E0000-0x0000000075891000-memory.dmp

Filesize
5.7MB

Download
memory/4320-142-0x00000000752E0000-0x0000000075891000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads