njrat | 241f37fd8dace0aa706ee2e30ecceb715118ec0b8971284586f52bbb2d74f48b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2022 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e4af6db3b00aac1f959e61d762837d2.exe
Size

27KB
MD5

1e4af6db3b00aac1f959e61d762837d2
SHA1

5dc86c39c1993e8e80d6051e5b985ce66d8e4624
SHA256

241f37fd8dace0aa706ee2e30ecceb715118ec0b8971284586f52bbb2d74f48b
SHA512

624ca25290ee7acb0c1b2a7ddc3c44f91c5a65a9672713336830ecb4f95272fd71fbab128d2b880eea258c4c4626854c31577c5f1b79dbb2591912449ca8ccb7
SSDEEP

384:FELam4PanO4Y7pcdYGiTOCsPodxxMzAQk93vmhm7UMKmIEecKdbXTzm9bVhcaB6N:c63vc7OQzA/vMHTi9bD

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

51.103.25.183:5552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 1 IoCs

Processes:

1e4af6db3b00aac1f959e61d762837d2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	1e4af6db3b00aac1f959e61d762837d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

1e4af6db3b00aac1f959e61d762837d2.exe

description	pid	process
Token: SeDebugPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: 33	740	1e4af6db3b00aac1f959e61d762837d2.exe
Token: SeIncBasePriorityPrivilege	740	1e4af6db3b00aac1f959e61d762837d2.exe

C:\Users\Admin\AppData\Local\Temp\1e4af6db3b00aac1f959e61d762837d2.exe
"C:\Users\Admin\AppData\Local\Temp\1e4af6db3b00aac1f959e61d762837d2.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-132-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/740-133-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/740-134-0x0000000006270000-0x0000000006814000-memory.dmp

Filesize
5.6MB

Download
memory/740-135-0x0000000005DA0000-0x0000000005E32000-memory.dmp

Filesize
584KB

Download
memory/740-136-0x0000000005D90000-0x0000000005D9A000-memory.dmp

Filesize
40KB

Download
memory/740-137-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download