njrat | 974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b

Analysis

max time kernel
99s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe
Size

56KB
MD5

6ccb7038cef6779c9e8a593777d63c20
SHA1

2932fe91f331511e71fd67c5d0d1b645ce6a7fb0
SHA256

974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b
SHA512

1fb85fbcf726e121e657d4a232fd3d1f5d9488c78bbd4e105088185a1985e3cccc3d4e6f4818609dfa86df3b3c550e840771f50c016d3cabaa18de52fadb3a59
SSDEEP

768:FThqhOYcKpQGJKY/YK52+N3vONJvuuzs/tn+eSMUToEInNkHmc5l:F4hXpK21A+94oJtn+MUT0kHmWl

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

sey69.no-ip.bisey69.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Crypted.exeTrojan.exe

pid process

1968 Crypted.exe
5092 Trojan.exe

pid	process
1968	Crypted.exe
5092	Trojan.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Crypted.exe974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Crypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exeCrypted.exe

description	pid	process	target process
PID 1680 wrote to memory of 1968	1680	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1680 wrote to memory of 1968	1680	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1680 wrote to memory of 1968	1680	974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe	Crypted.exe
PID 1968 wrote to memory of 5092	1968	Crypted.exe	Trojan.exe
PID 1968 wrote to memory of 5092	1968	Crypted.exe	Trojan.exe
PID 1968 wrote to memory of 5092	1968	Crypted.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe
"C:\Users\Admin\AppData\Local\Temp\974eea6647d03213b94ef32da55844787c06b793cb339b964e6b777566cccd2b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:5092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe
Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
760ff3b88716c12c5b124d91412dad49

SHA1
62fa06b83466caf960d8cf2144659c30667b2a4e

SHA256
2605db6927eaabd8d963e6d17363d3b97eb8aa0a927d27f09a1070d58e9b1b8f

SHA512
277a0acfb0ea2dd047f9cc6a973aafaf51159f7d98696bd71d9a4dcd7de29ed341224d0de7c14cc5e05968ae0506978c2e74d1fc76213708cc6587f55faab324

Download Submit
memory/1680-132-0x00007FFBFCAB0000-0x00007FFBFD4E6000-memory.dmp

Filesize
10.2MB

Download
memory/1968-133-0x0000000000000000-mapping.dmp

Download
memory/1968-136-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/1968-141-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/1968-144-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-137-0x0000000000000000-mapping.dmp

Download
memory/5092-140-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-142-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-143-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download