njrat | 74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8

General

Target

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
Size

572KB
MD5

3c62f18b9cc44d48e2187bf66d9fae04
SHA1

7010bf5ae66555b4891eb32b9e7b1e2ab603bf8b
SHA256

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8
SHA512

2f82f30fbfe30b2be09538e9c0c465aa9fd71135e42cd9103b56a1ed4dbabcf1347475aa78277d7b87ade5c217e20f39896466cd3309010a81208015d1b028d6
SSDEEP

12288:hToPWBv/cpGrU3yXoT77F1KQSSOS14Gr59aAqg4/G:hTbBv5rUfFnSST14GrfAR/G

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOTQ3LjE4NS4yFRANSESCOjEuFRANSESCOjEx:MjAxMTE=

Mutex

15c02f637abec4a65e1044f0fcf0abcc

Attributes

reg_key
15c02f637abec4a65e1044f0fcf0abcc
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

wifi.execonhost.exesystem.exe

pid process

112 wifi.exe
3540 conhost.exe
4496 system.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4644 netsh.exe

pid	process
112	wifi.exe
3540	conhost.exe
4496	system.exe

pid	process
4644	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe

Drops startup file 2 IoCs

Processes:

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.lnk	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

conhost.exesystem.exe

pid process

3540 conhost.exe
4496 system.exe

pid	process
3540	conhost.exe
4496	system.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

system.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	4496	system.exe
Token: SeDebugPrivilege	3540	conhost.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe
Token: 33	4496	system.exe
Token: SeIncBasePriorityPrivilege	4496	system.exe
Token: 33	3540	conhost.exe
Token: SeIncBasePriorityPrivilege	3540	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wifi.exe

pid process

112 wifi.exe

pid	process
112	wifi.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.execmd.execmd.execmd.execmd.execonhost.exe

description	pid	process	target process
PID 4892 wrote to memory of 1008	4892	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe	cmd.exe
PID 4892 wrote to memory of 1008	4892	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe	cmd.exe
PID 4892 wrote to memory of 1008	4892	74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe	cmd.exe
PID 1008 wrote to memory of 2620	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 2620	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 2620	1008	cmd.exe	cmd.exe
PID 2620 wrote to memory of 112	2620	cmd.exe	wifi.exe
PID 2620 wrote to memory of 112	2620	cmd.exe	wifi.exe
PID 2620 wrote to memory of 112	2620	cmd.exe	wifi.exe
PID 1008 wrote to memory of 320	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 320	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 320	1008	cmd.exe	cmd.exe
PID 320 wrote to memory of 3540	320	cmd.exe	conhost.exe
PID 320 wrote to memory of 3540	320	cmd.exe	conhost.exe
PID 320 wrote to memory of 3540	320	cmd.exe	conhost.exe
PID 1008 wrote to memory of 2280	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 2280	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 2280	1008	cmd.exe	cmd.exe
PID 2280 wrote to memory of 4496	2280	cmd.exe	system.exe
PID 2280 wrote to memory of 4496	2280	cmd.exe	system.exe
PID 3540 wrote to memory of 4644	3540	conhost.exe	netsh.exe
PID 3540 wrote to memory of 4644	3540	conhost.exe	netsh.exe
PID 3540 wrote to memory of 4644	3540	conhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe
"C:\Users\Admin\AppData\Local\Temp\74010de42a61c8836e3139b705d25bfbf12879c772594e614fc690a1878280e8.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c start wifi.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exe
wifi.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c start conhost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe
conhost.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe" "conhost.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4644

C:\Windows\SysWOW64\cmd.exe
cmd /c start system.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exe
system.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat
Filesize
72B

MD5
1e69f563f624286bb08f54117072090f

SHA1
7ba580822307de955385917a4f6db8eb08e074fa

SHA256
27913eda39841546c3dfa735db3cdbbb5450a5388fca2cc2956e0ba3fdb9970b

SHA512
a6e9af3f0eb0f69e2fbad033462de5b5fd423553c69379053b4626d381d754d3840e822e3eb4427d430ac8845457ae5eee7d8fa88781ae6fa4cb795f8f0a86aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe
Filesize
93KB

MD5
c6364a0668fe7a9bac5b67fc6983586a

SHA1
0657571e752e99daaee81e96feddc915398ac90c

SHA256
45c0da24b5057cff90fcfd896a33ec9e4c7fb75e918c70a7e19e7ea6ddc806b0

SHA512
fb23c1c9282a4ab641b4f7f08f8eb71558594e6611e258bd56990a1a6bbbd7aaaf8301f20815aa7c48d05372b4ad695336ee43b346e329350fbb59f01d240e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\conhost.exe
Filesize
93KB

MD5
c6364a0668fe7a9bac5b67fc6983586a

SHA1
0657571e752e99daaee81e96feddc915398ac90c

SHA256
45c0da24b5057cff90fcfd896a33ec9e4c7fb75e918c70a7e19e7ea6ddc806b0

SHA512
fb23c1c9282a4ab641b4f7f08f8eb71558594e6611e258bd56990a1a6bbbd7aaaf8301f20815aa7c48d05372b4ad695336ee43b346e329350fbb59f01d240e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exe
Filesize
159KB

MD5
ec66102014000040e566229d431aa206

SHA1
16ec31507cf63505535bae4c931865afa8566b39

SHA256
b7c257aac74c25f3fc568f579f64155d664f59a3743a5238df279c35d6435380

SHA512
74b40388a5e9f6ecadd2f43858009ccb8a1b66b799dd610bfcd7275dc0a04bc4d0ace56cc7b513a0a3c39fef4bb5a87f055fd5e22a5e6dcbd6bcdf050a2ea090

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system.exe
Filesize
159KB

MD5
ec66102014000040e566229d431aa206

SHA1
16ec31507cf63505535bae4c931865afa8566b39

SHA256
b7c257aac74c25f3fc568f579f64155d664f59a3743a5238df279c35d6435380

SHA512
74b40388a5e9f6ecadd2f43858009ccb8a1b66b799dd610bfcd7275dc0a04bc4d0ace56cc7b513a0a3c39fef4bb5a87f055fd5e22a5e6dcbd6bcdf050a2ea090

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exe
Filesize
36KB

MD5
4b5a108918f563dab60d63a7e79b7046

SHA1
cff2a9c877b786821fb8d8b9111e3724ace1de9f

SHA256
a4eec1d719b512b3cbf4daff311db391269e5d63deb46f0c4da3d63f0833a3c0

SHA512
a60cc3dbd33bb68d304df4e9870cf33a41e97fce9ad9c84b7d67ca89a68bf58050f1b1cea5ea14d0b299d217a8e1bf01dadd2b4b19a148346223bab11791e8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wifi.exe
Filesize
36KB

MD5
4b5a108918f563dab60d63a7e79b7046

SHA1
cff2a9c877b786821fb8d8b9111e3724ace1de9f

SHA256
a4eec1d719b512b3cbf4daff311db391269e5d63deb46f0c4da3d63f0833a3c0

SHA512
a60cc3dbd33bb68d304df4e9870cf33a41e97fce9ad9c84b7d67ca89a68bf58050f1b1cea5ea14d0b299d217a8e1bf01dadd2b4b19a148346223bab11791e8a7

Download Submit
memory/112-135-0x0000000000000000-mapping.dmp

Download
memory/320-138-0x0000000000000000-mapping.dmp

Download
memory/1008-132-0x0000000000000000-mapping.dmp

Download
memory/2280-142-0x0000000000000000-mapping.dmp

Download
memory/2620-134-0x0000000000000000-mapping.dmp

Download
memory/3540-140-0x0000000000000000-mapping.dmp

Download
memory/3540-150-0x0000000072740000-0x0000000072CF1000-memory.dmp

Filesize
5.7MB

Download
memory/3540-153-0x0000000072740000-0x0000000072CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-145-0x0000000000000000-mapping.dmp

Download
memory/4496-148-0x0000000000E60000-0x0000000000E8E000-memory.dmp

Filesize
184KB

Download
memory/4496-149-0x00007FFA43FE0000-0x00007FFA44AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-152-0x00007FFA43FE0000-0x00007FFA44AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads