njrat | 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-10-2022 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
Size

572KB
MD5

3c62f18b9cc44d48e2187bf66d9fae04
SHA1

7010bf5ae66555b4891eb32b9e7b1e2ab603bf8b
SHA256

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8
SHA512

2f82f30fbfe30b2be09538e9c0c465aa9fd71135e42cd9103b56a1ed4dbabcf1347475aa78277d7b87ade5c217e20f39896466cd3309010a81208015d1b028d6
SSDEEP

12288:hToPWBv/cpGrU3yXoT77F1KQSSOS14Gr59aAqg4/G:hTbBv5rUfFnSST14GrfAR/G

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

FRANSESCOTQ3LjE4NS4yFRANSESCOjEuFRANSESCOjEx:MjAxMTE=

Mutex

15c02f637abec4a65e1044f0fcf0abcc

Attributes

reg_key
15c02f637abec4a65e1044f0fcf0abcc
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

wifi.execonhost.exesystem.exe

pid process

4892 wifi.exe
4008 conhost.exe
3680 system.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4488 netsh.exe

pid	process
4892	wifi.exe
4008	conhost.exe
3680	system.exe

pid	process
4488	netsh.exe

Drops startup file 2 IoCs

Processes:

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.lnk	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

conhost.exesystem.exe

pid process

4008 conhost.exe
3680 system.exe

pid	process
4008	conhost.exe
3680	system.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

system.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	3680	system.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: SeDebugPrivilege	4008	conhost.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe
Token: 33	3680	system.exe
Token: SeIncBasePriorityPrivilege	3680	system.exe
Token: 33	4008	conhost.exe
Token: SeIncBasePriorityPrivilege	4008	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wifi.exe

pid process

4892 wifi.exe

pid	process
4892	wifi.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.execmd.execmd.execmd.execmd.execonhost.exe

description	pid	process	target process
PID 2896 wrote to memory of 4196	2896	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe	cmd.exe
PID 2896 wrote to memory of 4196	2896	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe	cmd.exe
PID 2896 wrote to memory of 4196	2896	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe	cmd.exe
PID 4196 wrote to memory of 3928	4196	cmd.exe	cmd.exe
PID 4196 wrote to memory of 3928	4196	cmd.exe	cmd.exe
PID 4196 wrote to memory of 3928	4196	cmd.exe	cmd.exe
PID 3928 wrote to memory of 4892	3928	cmd.exe	wifi.exe
PID 3928 wrote to memory of 4892	3928	cmd.exe	wifi.exe
PID 3928 wrote to memory of 4892	3928	cmd.exe	wifi.exe
PID 4196 wrote to memory of 3912	4196	cmd.exe	cmd.exe
PID 4196 wrote to memory of 3912	4196	cmd.exe	cmd.exe
PID 4196 wrote to memory of 3912	4196	cmd.exe	cmd.exe
PID 3912 wrote to memory of 4008	3912	cmd.exe	conhost.exe
PID 3912 wrote to memory of 4008	3912	cmd.exe	conhost.exe
PID 3912 wrote to memory of 4008	3912	cmd.exe	conhost.exe
PID 4196 wrote to memory of 4912	4196	cmd.exe	cmd.exe
PID 4196 wrote to memory of 4912	4196	cmd.exe	cmd.exe
PID 4196 wrote to memory of 4912	4196	cmd.exe	cmd.exe
PID 4912 wrote to memory of 3680	4912	cmd.exe	system.exe
PID 4912 wrote to memory of 3680	4912	cmd.exe	system.exe
PID 4008 wrote to memory of 4488	4008	conhost.exe	netsh.exe
PID 4008 wrote to memory of 4488	4008	conhost.exe	netsh.exe
PID 4008 wrote to memory of 4488	4008	conhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
"C:\Users\Admin\AppData\Local\Temp\74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start wifi.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exe
      wifi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start conhost.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe
      conhost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe" "conhost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start system.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exe
      system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat

Filesize
72B

MD5
1e69f563f624286bb08f54117072090f

SHA1
7ba580822307de955385917a4f6db8eb08e074fa

SHA256
27913eda39841546c3dfa735db3cdbbb5450a5388fca2cc2956e0ba3fdb9970b

SHA512
a6e9af3f0eb0f69e2fbad033462de5b5fd423553c69379053b4626d381d754d3840e822e3eb4427d430ac8845457ae5eee7d8fa88781ae6fa4cb795f8f0a86aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe

Filesize
93KB

MD5
c6364a0668fe7a9bac5b67fc6983586a

SHA1
0657571e752e99daaee81e96feddc915398ac90c

SHA256
45c0da24b5057cff90fcfd896a33ec9e4c7fb75e918c70a7e19e7ea6ddc806b0

SHA512
fb23c1c9282a4ab641b4f7f08f8eb71558594e6611e258bd56990a1a6bbbd7aaaf8301f20815aa7c48d05372b4ad695336ee43b346e329350fbb59f01d240e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe

Filesize
93KB

MD5
c6364a0668fe7a9bac5b67fc6983586a

SHA1
0657571e752e99daaee81e96feddc915398ac90c

SHA256
45c0da24b5057cff90fcfd896a33ec9e4c7fb75e918c70a7e19e7ea6ddc806b0

SHA512
fb23c1c9282a4ab641b4f7f08f8eb71558594e6611e258bd56990a1a6bbbd7aaaf8301f20815aa7c48d05372b4ad695336ee43b346e329350fbb59f01d240e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exe

Filesize
159KB

MD5
ec66102014000040e566229d431aa206

SHA1
16ec31507cf63505535bae4c931865afa8566b39

SHA256
b7c257aac74c25f3fc568f579f64155d664f59a3743a5238df279c35d6435380

SHA512
74b40388a5e9f6ecadd2f43858009ccb8a1b66b799dd610bfcd7275dc0a04bc4d0ace56cc7b513a0a3c39fef4bb5a87f055fd5e22a5e6dcbd6bcdf050a2ea090

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exe

Filesize
159KB

MD5
ec66102014000040e566229d431aa206

SHA1
16ec31507cf63505535bae4c931865afa8566b39

SHA256
b7c257aac74c25f3fc568f579f64155d664f59a3743a5238df279c35d6435380

SHA512
74b40388a5e9f6ecadd2f43858009ccb8a1b66b799dd610bfcd7275dc0a04bc4d0ace56cc7b513a0a3c39fef4bb5a87f055fd5e22a5e6dcbd6bcdf050a2ea090

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exe

Filesize
36KB

MD5
4b5a108918f563dab60d63a7e79b7046

SHA1
cff2a9c877b786821fb8d8b9111e3724ace1de9f

SHA256
a4eec1d719b512b3cbf4daff311db391269e5d63deb46f0c4da3d63f0833a3c0

SHA512
a60cc3dbd33bb68d304df4e9870cf33a41e97fce9ad9c84b7d67ca89a68bf58050f1b1cea5ea14d0b299d217a8e1bf01dadd2b4b19a148346223bab11791e8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exe

Filesize
36KB

MD5
4b5a108918f563dab60d63a7e79b7046

SHA1
cff2a9c877b786821fb8d8b9111e3724ace1de9f

SHA256
a4eec1d719b512b3cbf4daff311db391269e5d63deb46f0c4da3d63f0833a3c0

SHA512
a60cc3dbd33bb68d304df4e9870cf33a41e97fce9ad9c84b7d67ca89a68bf58050f1b1cea5ea14d0b299d217a8e1bf01dadd2b4b19a148346223bab11791e8a7

Download Submit
memory/2896-157-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-156-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-166-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-183-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2896-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3680-275-0x0000000000000000-mapping.dmp

Download
memory/3680-284-0x0000000000830000-0x000000000085E000-memory.dmp

Filesize
184KB

Download
memory/3912-218-0x0000000000000000-mapping.dmp

Download
memory/3928-203-0x0000000000000000-mapping.dmp

Download
memory/4008-238-0x0000000000000000-mapping.dmp

Download
memory/4008-321-0x00000000722B0000-0x0000000072860000-memory.dmp

Filesize
5.7MB

Download
memory/4008-325-0x00000000722B0000-0x0000000072860000-memory.dmp

Filesize
5.7MB

Download
memory/4196-189-0x0000000000000000-mapping.dmp

Download
memory/4488-328-0x0000000000000000-mapping.dmp

Download
memory/4892-210-0x0000000000000000-mapping.dmp

Download
memory/4912-250-0x0000000000000000-mapping.dmp

Download