njrat | 60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe
Size

29KB
MD5

70403e78e612e435c81f467218ab19c0
SHA1

ec2408407bb925b36adf3372d83480fc67bf4986
SHA256

60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572
SHA512

04fc7c62b73d26c0558592c86975e3a3eeb9fb122f13a40987bbe36470cc0002863048ea216eba0b736fd667a8730cbf0295e7895f2a36649c27d0db7e0e8a20
SSDEEP

384:h9gJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOf:ht7nMsanzR+2cqEDveyBKh0p29SgR4w

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

ahmed12300.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

4116 Trojan.exe

pid	process
4116	Trojan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe

description	pid	process	target process
PID 3524 wrote to memory of 4116	3524	60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe	Trojan.exe
PID 3524 wrote to memory of 4116	3524	60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe	Trojan.exe
PID 3524 wrote to memory of 4116	3524	60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe
"C:\Users\Admin\AppData\Local\Temp\60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
2⤵
- Executes dropped EXE
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
70403e78e612e435c81f467218ab19c0

SHA1
ec2408407bb925b36adf3372d83480fc67bf4986

SHA256
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572

SHA512
04fc7c62b73d26c0558592c86975e3a3eeb9fb122f13a40987bbe36470cc0002863048ea216eba0b736fd667a8730cbf0295e7895f2a36649c27d0db7e0e8a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
70403e78e612e435c81f467218ab19c0

SHA1
ec2408407bb925b36adf3372d83480fc67bf4986

SHA256
60592be138b3cadecfacb31c2ecffad95a20030adae364f4dafb9932d56dd572

SHA512
04fc7c62b73d26c0558592c86975e3a3eeb9fb122f13a40987bbe36470cc0002863048ea216eba0b736fd667a8730cbf0295e7895f2a36649c27d0db7e0e8a20

Download Submit
memory/3524-132-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3524-137-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3524-140-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4116-133-0x0000000000000000-mapping.dmp

Download
memory/4116-136-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4116-138-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4116-139-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download