njrat | aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe
Size

137KB
MD5

7290d6c5b840d629b677940ba7864850
SHA1

46d8fdaf6386cd259ae9dc6fd273bfbc215f9b3b
SHA256

aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0
SHA512

94a7b9b36ccb1813708037a07cec10324d69cda9c7dc3f4db205489bf03af99868d933486093a07fdd0b4cba2a2050dd8a6ae00b4627c47f9f591c70ecfefea2
SSDEEP

3072:Cnj9jtfU+INndIc0JQ5iKVk25T6nd8a9bK6PvA95hESK0A:CjbeimJTAd8d6n05hT0

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

trung0979774557.homeip.net:5552

Mutex

192936889c1ad904a258ba1ec13299b3

Attributes

reg_key
192936889c1ad904a258ba1ec13299b3
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 8 IoCs

Processes:

B.exeB.exeB.exeB.exeserver.exeserver.exeserver.exeserver.exe

pid process

1944 B.exe
2080 B.exe
3852 B.exe
3768 B.exe
4104 server.exe
4892 server.exe
3732 server.exe
2752 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4400 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B.exe

pid	process
1944	B.exe
2080	B.exe
3852	B.exe
3768	B.exe
4104	server.exe
4892	server.exe
3732	server.exe
2752	server.exe

pid	process
4400	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	B.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exeserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\192936889c1ad904a258ba1ec13299b3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\192936889c1ad904a258ba1ec13299b3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

B.exeserver.exe

description pid process target process

PID 1944 set thread context of 3768 1944 B.exe B.exe
PID 4104 set thread context of 2752 4104 server.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

B.exeserver.exe

pid process

1944 B.exe
1944 B.exe
4104 server.exe
4104 server.exe

description	pid	process	target process
PID 1944 set thread context of 3768	1944	B.exe	B.exe
PID 4104 set thread context of 2752	4104	server.exe	server.exe

pid	process
1944	B.exe
1944	B.exe
4104	server.exe
4104	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

B.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1944	B.exe
Token: SeDebugPrivilege	4104	server.exe
Token: SeDebugPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe
Token: 33	2752	server.exe
Token: SeIncBasePriorityPrivilege	2752	server.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exeB.exeB.exeserver.exeserver.exe

description	pid	process	target process
PID 4976 wrote to memory of 1944	4976	aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe	B.exe
PID 4976 wrote to memory of 1944	4976	aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe	B.exe
PID 4976 wrote to memory of 1944	4976	aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe	B.exe
PID 1944 wrote to memory of 2080	1944	B.exe	B.exe
PID 1944 wrote to memory of 2080	1944	B.exe	B.exe
PID 1944 wrote to memory of 2080	1944	B.exe	B.exe
PID 1944 wrote to memory of 3852	1944	B.exe	B.exe
PID 1944 wrote to memory of 3852	1944	B.exe	B.exe
PID 1944 wrote to memory of 3852	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 1944 wrote to memory of 3768	1944	B.exe	B.exe
PID 3768 wrote to memory of 4104	3768	B.exe	server.exe
PID 3768 wrote to memory of 4104	3768	B.exe	server.exe
PID 3768 wrote to memory of 4104	3768	B.exe	server.exe
PID 4104 wrote to memory of 4892	4104	server.exe	server.exe
PID 4104 wrote to memory of 4892	4104	server.exe	server.exe
PID 4104 wrote to memory of 4892	4104	server.exe	server.exe
PID 4104 wrote to memory of 3732	4104	server.exe	server.exe
PID 4104 wrote to memory of 3732	4104	server.exe	server.exe
PID 4104 wrote to memory of 3732	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 4104 wrote to memory of 2752	4104	server.exe	server.exe
PID 2752 wrote to memory of 4400	2752	server.exe	netsh.exe
PID 2752 wrote to memory of 4400	2752	server.exe	netsh.exe
PID 2752 wrote to memory of 4400	2752	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe
"C:\Users\Admin\AppData\Local\Temp\aef2a2e45deff880a7b64d6f79e0b9441916afaa230440d07ca28e5560ff0ea0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
3⤵
- Executes dropped EXE
PID:2080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
3⤵
- Executes dropped EXE
PID:3852

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Local\Temp\server.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
5⤵
- Executes dropped EXE
PID:3732

C:\Users\Admin\AppData\Local\Temp\server.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4400

C:\Users\Admin\AppData\Local\Temp\server.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
5⤵
- Executes dropped EXE
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CSIDL_
Filesize
64KB

MD5
e55002c9131eb52ae05d4a5ce0c8659a

SHA1
72515fb30347176ec0310eab22720a077f762c22

SHA256
6bc0a5d9f2b33cf7c5289a6c74fd311add64dd9ad7e674b1bbebc4df4fdb7890

SHA512
6fa33d9f2faf217b7933f5fc7655876d545c9a58631c5d97bd2328d82d4e604413da2023b9e248935523333bb6b4f4ca1507149c3d1b57f2ace973f0d9750ce3

Download Submit
C:\Users\Admin\AppData\Local\CSIDL_X
Filesize
64KB

MD5
e55002c9131eb52ae05d4a5ce0c8659a

SHA1
72515fb30347176ec0310eab22720a077f762c22

SHA256
6bc0a5d9f2b33cf7c5289a6c74fd311add64dd9ad7e674b1bbebc4df4fdb7890

SHA512
6fa33d9f2faf217b7933f5fc7655876d545c9a58631c5d97bd2328d82d4e604413da2023b9e248935523333bb6b4f4ca1507149c3d1b57f2ace973f0d9750ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.ex_
Filesize
64KB

MD5
e55002c9131eb52ae05d4a5ce0c8659a

SHA1
72515fb30347176ec0310eab22720a077f762c22

SHA256
6bc0a5d9f2b33cf7c5289a6c74fd311add64dd9ad7e674b1bbebc4df4fdb7890

SHA512
6fa33d9f2faf217b7933f5fc7655876d545c9a58631c5d97bd2328d82d4e604413da2023b9e248935523333bb6b4f4ca1507149c3d1b57f2ace973f0d9750ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif
Filesize
40KB

MD5
67eeab292f21456677476f6139574c00

SHA1
7cc0dfbd6a7b34334049eb877770bdf9e377be9d

SHA256
01715e84d2abaab8f786b656b17fc5ce653e7d0b42468abadff24c5d1d63ee6e

SHA512
3def31df679ad447e2a53b21033453f75d17e7e6c711ee883a5f6c60ddc8fa5159ba82a7a40999354e29df29a92539a0e2eb609ba066fb942081624ea8e4cb60

Download Submit
memory/1944-135-0x0000000000000000-mapping.dmp

Download
memory/1944-163-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1944-146-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2080-139-0x0000000000000000-mapping.dmp

Download
memory/2752-168-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2752-160-0x0000000000000000-mapping.dmp

Download
memory/2752-165-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3732-158-0x0000000000000000-mapping.dmp

Download
memory/3768-144-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3768-147-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3768-143-0x0000000000000000-mapping.dmp

Download
memory/3768-151-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3852-141-0x0000000000000000-mapping.dmp

Download
memory/4104-152-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4104-164-0x0000000005F60000-0x0000000005F64000-memory.dmp

Filesize
16KB

Download
memory/4104-166-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4104-148-0x0000000000000000-mapping.dmp

Download
memory/4400-167-0x0000000000000000-mapping.dmp

Download
memory/4892-156-0x0000000000000000-mapping.dmp

Download