njrat | 8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe
Size

66KB
MD5

678736f0c01d5772c5fe8f17c2a2f0a0
SHA1

6fd5092205a163cdd409a28a321221d4e12ebc96
SHA256

8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2
SHA512

8d9f62978cf91e597d4a8e19e2747a5d70fcbb42deaf3c4036a0c15454a959f59ca2350f4d30ce55cf09bd25f0cdf7f5004240d24c9ba374d72a72728fb21830
SSDEEP

1536:i7hWVUJZKhG29jD4Uj2qkSZZZ3gdt7j2qkSZZZD:sWVcQA29djYUG7jYi

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

redwaneboudaa.zapto.org:1177

Mutex

6041060f82ac9ecc2165d44257f9aec8

Attributes

reg_key
6041060f82ac9ecc2165d44257f9aec8
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

rida.exe

pid process

844 rida.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4512 netsh.exe

pid	process
4512	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

rida.exe

pid	process
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe
844	rida.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rida.exe

description pid process

Token: SeDebugPrivilege 844 rida.exe

description	pid	process
Token: SeDebugPrivilege	844	rida.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exerida.exe

description	pid	process	target process
PID 816 wrote to memory of 844	816	8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe	rida.exe
PID 816 wrote to memory of 844	816	8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe	rida.exe
PID 816 wrote to memory of 844	816	8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe	rida.exe
PID 844 wrote to memory of 4512	844	rida.exe	netsh.exe
PID 844 wrote to memory of 4512	844	rida.exe	netsh.exe
PID 844 wrote to memory of 4512	844	rida.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe
"C:\Users\Admin\AppData\Local\Temp\8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\rida.exe
"C:\Users\Admin\AppData\Local\Temp\rida.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\rida.exe" "rida.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rida.exe
Filesize
66KB

MD5
678736f0c01d5772c5fe8f17c2a2f0a0

SHA1
6fd5092205a163cdd409a28a321221d4e12ebc96

SHA256
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2

SHA512
8d9f62978cf91e597d4a8e19e2747a5d70fcbb42deaf3c4036a0c15454a959f59ca2350f4d30ce55cf09bd25f0cdf7f5004240d24c9ba374d72a72728fb21830

Download Submit
C:\Users\Admin\AppData\Local\Temp\rida.exe
Filesize
66KB

MD5
678736f0c01d5772c5fe8f17c2a2f0a0

SHA1
6fd5092205a163cdd409a28a321221d4e12ebc96

SHA256
8b40040cf08471cecbad21a1199b23336bcca69d97220ef0e592fe5106d118f2

SHA512
8d9f62978cf91e597d4a8e19e2747a5d70fcbb42deaf3c4036a0c15454a959f59ca2350f4d30ce55cf09bd25f0cdf7f5004240d24c9ba374d72a72728fb21830

Download Submit
memory/816-132-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/816-137-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/844-133-0x0000000000000000-mapping.dmp

Download
memory/844-138-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/844-139-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-136-0x0000000000000000-mapping.dmp

Download