njrat | f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa

General

Target

f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
Size

40KB
MD5

6a7b34aabcd7482e0c6acb99fd249d20
SHA1

25a6b8074e1323cff36d522c62d1121e7ebfc749
SHA256

f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa
SHA512

482c4a801e35c236161cae4b5b2042e9f58cd5a7e2f61a9e21e030a73bb1ca3f4584869924f2da210b1b050b8d18876b0914c9f403ee86ad36b86be46f7ec4ae
SSDEEP

384:xoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZSNl5:m7O89p2rRpcnuBl5

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

momodz.no-ip.biz:1177

Mutex

de24e18567ad7e555a79ab8b2c977563

Attributes

reg_key
de24e18567ad7e555a79ab8b2c977563
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

LocalWlKRdrugdz.exeserver.exe

pid process

1900 LocalWlKRdrugdz.exe
1676 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1276 netsh.exe

pid	process
1900	LocalWlKRdrugdz.exe
1676	server.exe

pid	process
1276	netsh.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de24e18567ad7e555a79ab8b2c977563.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de24e18567ad7e555a79ab8b2c977563.exe	server.exe

Loads dropped DLL 1 IoCs

Processes:

LocalWlKRdrugdz.exe

pid process

1900 LocalWlKRdrugdz.exe

pid	process
1900	LocalWlKRdrugdz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\de24e18567ad7e555a79ab8b2c977563 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\de24e18567ad7e555a79ab8b2c977563 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exeLocalWlKRdrugdz.exeserver.exe

description	pid	process	target process
PID 948 wrote to memory of 1900	948	f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe	LocalWlKRdrugdz.exe
PID 948 wrote to memory of 1900	948	f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe	LocalWlKRdrugdz.exe
PID 948 wrote to memory of 1900	948	f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe	LocalWlKRdrugdz.exe
PID 948 wrote to memory of 1900	948	f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe	LocalWlKRdrugdz.exe
PID 1900 wrote to memory of 1676	1900	LocalWlKRdrugdz.exe	server.exe
PID 1900 wrote to memory of 1676	1900	LocalWlKRdrugdz.exe	server.exe
PID 1900 wrote to memory of 1676	1900	LocalWlKRdrugdz.exe	server.exe
PID 1900 wrote to memory of 1676	1900	LocalWlKRdrugdz.exe	server.exe
PID 1676 wrote to memory of 1276	1676	server.exe	netsh.exe
PID 1676 wrote to memory of 1276	1676	server.exe	netsh.exe
PID 1676 wrote to memory of 1276	1676	server.exe	netsh.exe
PID 1676 wrote to memory of 1276	1676	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe
"C:\Users\Admin\AppData\Local\Temp\f0e96a5e05511ef011d33261b364f046118f91e1d9053c397d1e6ac10c8c79aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\LocalWlKRdrugdz.exe
"C:\Users\Admin\AppData\LocalWlKRdrugdz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalWlKRdrugdz.exe
Filesize
23KB

MD5
d25bf8c4fd693697735916736f012495

SHA1
9c774d2da0ab6370a426a841079798be46e45051

SHA256
f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df

SHA512
a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f

Download Submit
C:\Users\Admin\AppData\LocalWlKRdrugdz.exe
Filesize
23KB

MD5
d25bf8c4fd693697735916736f012495

SHA1
9c774d2da0ab6370a426a841079798be46e45051

SHA256
f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df

SHA512
a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
d25bf8c4fd693697735916736f012495

SHA1
9c774d2da0ab6370a426a841079798be46e45051

SHA256
f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df

SHA512
a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
d25bf8c4fd693697735916736f012495

SHA1
9c774d2da0ab6370a426a841079798be46e45051

SHA256
f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df

SHA512
a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
d25bf8c4fd693697735916736f012495

SHA1
9c774d2da0ab6370a426a841079798be46e45051

SHA256
f1ec9ecc4819d1d3262590e55527904ac2ba91374c10d0ef3de5411c0f59c5df

SHA512
a33c0c4428be2d247c59446bac5bf71637c478e1c028828db3d9ae81c933a6e4b88c7b12d594b45903e68b56ea27120eef0086da24c3c67e689fb41f3a56812f

Download Submit
memory/948-60-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/948-54-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/948-55-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1276-69-0x0000000000000000-mapping.dmp

Download
memory/1676-63-0x0000000000000000-mapping.dmp

Download
memory/1676-68-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-71-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-59-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1900-61-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download
memory/1900-67-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads