njrat | 974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b

General

Target

974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe
Size

56KB
MD5

6ccb7038cef6779c9e8a593777d63c20
SHA1

2932fe91f331511e71fd67c5d0d1b645ce6a7fb0
SHA256

974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b
SHA512

1fb85fbcf726e121e657d4a232fd3d1f5d9488c78bbd4e105088185a1985e3cccc3d4e6f4818609dfa86df3b3c550e840771f50c016d3cabaa18de52fadb3a59
SSDEEP

768:FThqhOYcKpQGJKY/YK52+N3vONJvuuzs/tn+eSMUToEInNkHmc5l:F4hXpK21A+94oJtn+MUT0kHmWl

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

sey69.no-ip.bisey69.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Crypted.exeTrojan.exe

pid process

1224 Crypted.exe
952 Trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

520 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

Crypted.exe

pid process

1224 Crypted.exe

pid	process
1224	Crypted.exe
952	Trojan.exe

pid	process
520	netsh.exe

pid	process
1224	Crypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Trojan.exe

pid	process
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe
952	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Trojan.exe

description pid process

Token: SeDebugPrivilege 952 Trojan.exe

description	pid	process
Token: SeDebugPrivilege	952	Trojan.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exeCrypted.exeTrojan.exe

description	pid	process	target process
PID 1000 wrote to memory of 1224	1000	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1000 wrote to memory of 1224	1000	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1000 wrote to memory of 1224	1000	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1000 wrote to memory of 1224	1000	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1224 wrote to memory of 952	1224	Crypted.exe	Trojan.exe
PID 1224 wrote to memory of 952	1224	Crypted.exe	Trojan.exe
PID 1224 wrote to memory of 952	1224	Crypted.exe	Trojan.exe
PID 1224 wrote to memory of 952	1224	Crypted.exe	Trojan.exe
PID 952 wrote to memory of 520	952	Trojan.exe	netsh.exe
PID 952 wrote to memory of 520	952	Trojan.exe	netsh.exe
PID 952 wrote to memory of 520	952	Trojan.exe	netsh.exe
PID 952 wrote to memory of 520	952	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe
"C:\Users\Admin\AppData\Local\Temp\974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
memory/520-68-0x0000000000000000-mapping.dmp

Download
memory/952-71-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/952-70-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/952-63-0x0000000000000000-mapping.dmp

Download
memory/1000-55-0x000007FEF2DC0000-0x000007FEF3E56000-memory.dmp

Filesize
16.6MB

Download
memory/1000-58-0x0000000001F96000-0x0000000001FB5000-memory.dmp

Filesize
124KB

Download
memory/1000-54-0x000007FEF4230000-0x000007FEF4C53000-memory.dmp

Filesize
10.1MB

Download
memory/1224-60-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1224-67-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-61-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads