njrat | 8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4

General

Target

47bea8a28b1e81e3342d594fc57acd8e.exe
Size

27KB
MD5

47bea8a28b1e81e3342d594fc57acd8e
SHA1

d301e8985e53b7baabf9b45df087a017e3817742
SHA256

8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4
SHA512

d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6
SSDEEP

384:2LBH6uj/+AU9038hfOexuaP39hRnMYAQk93vmhm7UMKmIEecKdbXTzm9bVhcaL62:wBa0mkspJtyYA/vMHTi9bD

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

216.250.251.104:2028

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

1516 Payload.exe

pid	process
1516	Payload.exe

Drops startup file 2 IoCs

Processes:

47bea8a28b1e81e3342d594fc57acd8e.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	47bea8a28b1e81e3342d594fc57acd8e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Loads dropped DLL 1 IoCs

Processes:

47bea8a28b1e81e3342d594fc57acd8e.exe

pid process

1944 47bea8a28b1e81e3342d594fc57acd8e.exe

pid	process
1944	47bea8a28b1e81e3342d594fc57acd8e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

47bea8a28b1e81e3342d594fc57acd8e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	47bea8a28b1e81e3342d594fc57acd8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe
Token: 33	1516	Payload.exe
Token: SeIncBasePriorityPrivilege	1516	Payload.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

47bea8a28b1e81e3342d594fc57acd8e.exe

description	pid	process	target process
PID 1944 wrote to memory of 1516	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	Payload.exe
PID 1944 wrote to memory of 1516	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	Payload.exe
PID 1944 wrote to memory of 1516	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	Payload.exe
PID 1944 wrote to memory of 1516	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	Payload.exe
PID 1944 wrote to memory of 1356	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	attrib.exe
PID 1944 wrote to memory of 1356	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	attrib.exe
PID 1944 wrote to memory of 1356	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	attrib.exe
PID 1944 wrote to memory of 1356	1944	47bea8a28b1e81e3342d594fc57acd8e.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1356 attrib.exe

pid	process
1356	attrib.exe

C:\Users\Admin\AppData\Local\Temp\47bea8a28b1e81e3342d594fc57acd8e.exe
"C:\Users\Admin\AppData\Local\Temp\47bea8a28b1e81e3342d594fc57acd8e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
2⤵
- Views/modifies file attributes
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
f345e1c49c052602fb8b548d39dade03

SHA1
e364dc4b0df7f219d56d1ed451685d5111cedac3

SHA256
71a185003b38f4acfd621c891f97cebdd92620bba7b300de8c66d793b18b0d92

SHA512
ff0e090bdf54a603d4174378b46e76be1a53a8590ed4a787a8f140978588da774602799e916359110a1d48f91bb2cbda0fef1c1b41f4d960feda0e18ecc569a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1018B

MD5
1ad6c4d7d80b5303ae85569d6ccd6afa

SHA1
44ef9137278b1376d80b66d33501cc6cca6e456d

SHA256
867631ca4a0725392ced256f67d5ebaf917e3d7564c7e3189da3b8729dd7fa56

SHA512
d8d8cf943522721133b2fff2392563c3f947241c56edc918d74be92c08444ff2eadbbb23c822d2bc8b5e9999b743bec288aa23f54cab2c770fa50671ee215c03

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
27KB

MD5
47bea8a28b1e81e3342d594fc57acd8e

SHA1
d301e8985e53b7baabf9b45df087a017e3817742

SHA256
8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4

SHA512
d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
27KB

MD5
47bea8a28b1e81e3342d594fc57acd8e

SHA1
d301e8985e53b7baabf9b45df087a017e3817742

SHA256
8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4

SHA512
d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
27KB

MD5
47bea8a28b1e81e3342d594fc57acd8e

SHA1
d301e8985e53b7baabf9b45df087a017e3817742

SHA256
8f04eb500e66a053fa3e6e8a9900e94e794218253a172265c3a881db6f65faf4

SHA512
d5f2bfa425fa0c8d7fe2531b57ed9dbe5ca9b8bb8b7a868e39b251182446a22bcf01c3181d17b3362bc2a76b56cda1e504db2436fafbf922ee2120f76e8d00b6

Download Submit
memory/1356-61-0x0000000000000000-mapping.dmp

Download
memory/1516-57-0x0000000000000000-mapping.dmp

Download
memory/1516-60-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1944-54-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/1944-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads