njrat | 0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c

General

Target

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Size

222KB
MD5

3bf7caf61289891504b82a61e646f580
SHA1

b8205a7db4641c07bf3d5bb2addf3e03df52f707
SHA256

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c
SHA512

57f8904b3005517de9db78d2680499aa40960083de812805bf5b807fd694fe2b9a2a99f589c56a60f9eb9dcbb423b434dd042aec4fd514768b4fbe827136e851
SSDEEP

3072:bUN4EJaRilgqZqLYmDOZN/23Qp5oviiXpIv2U2y8J:2qilPOsN/2c5otX2v2U2

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

alimohamed90.no-ip.biz:7991

Mutex

03cfa1487a94d2b11760b77d3e3b04b3

Attributes

reg_key
03cfa1487a94d2b11760b77d3e3b04b3
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

chrom.exechrom.exe

pid process

3704 chrom.exe
2388 chrom.exe

pid	process
3704	chrom.exe
2388	chrom.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exechrom.exe

description	pid	process	target process
PID 4972 set thread context of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 3704 set thread context of 2388	3704	chrom.exe	chrom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2040 2388 WerFault.exe chrom.exe

pid	pid_target	process	target process
2040	2388	WerFault.exe	chrom.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exechrom.exe

description	pid	process
Token: SeDebugPrivilege	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Token: 33	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Token: SeIncBasePriorityPrivilege	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Token: SeDebugPrivilege	3704	chrom.exe
Token: 33	3704	chrom.exe
Token: SeIncBasePriorityPrivilege	3704	chrom.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exechrom.exe

description	pid	process	target process
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 4972 wrote to memory of 2024	4972	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 2024 wrote to memory of 3704	2024	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	chrom.exe
PID 2024 wrote to memory of 3704	2024	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	chrom.exe
PID 2024 wrote to memory of 3704	2024	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe
PID 3704 wrote to memory of 2388	3704	chrom.exe	chrom.exe

C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
"C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\chrom.exe
"C:\Users\Admin\AppData\Local\Temp\chrom.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\chrom.exe
C:\Users\Admin\AppData\Local\Temp\chrom.exe
4⤵
- Executes dropped EXE
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 80
5⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 2388
1⤵
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe.log
Filesize
493B

MD5
b28961daaebcb6a503f539e7ec085f94

SHA1
e1118ef9df72b205b688a893c68ab46b753ca4d4

SHA256
84e7751f2068ae2819bcb0909b07191665c34a31b345131feeca02c0d7765976

SHA512
8c191ce92ca0feb541eb61c685bd64c504822fff54d0bf69cf407ac160a34170dde8997b1a0837dc95a272bc91d07d6c5057400e2ceada1278fdb87bc7acdd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrom.exe
Filesize
222KB

MD5
3bf7caf61289891504b82a61e646f580

SHA1
b8205a7db4641c07bf3d5bb2addf3e03df52f707

SHA256
0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c

SHA512
57f8904b3005517de9db78d2680499aa40960083de812805bf5b807fd694fe2b9a2a99f589c56a60f9eb9dcbb423b434dd042aec4fd514768b4fbe827136e851

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrom.exe
Filesize
222KB

MD5
3bf7caf61289891504b82a61e646f580

SHA1
b8205a7db4641c07bf3d5bb2addf3e03df52f707

SHA256
0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c

SHA512
57f8904b3005517de9db78d2680499aa40960083de812805bf5b807fd694fe2b9a2a99f589c56a60f9eb9dcbb423b434dd042aec4fd514768b4fbe827136e851

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrom.exe
Filesize
222KB

MD5
3bf7caf61289891504b82a61e646f580

SHA1
b8205a7db4641c07bf3d5bb2addf3e03df52f707

SHA256
0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c

SHA512
57f8904b3005517de9db78d2680499aa40960083de812805bf5b807fd694fe2b9a2a99f589c56a60f9eb9dcbb423b434dd042aec4fd514768b4fbe827136e851

Download Submit
memory/2024-141-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/2024-137-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/2024-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2024-133-0x0000000000000000-mapping.dmp

Download
memory/2388-142-0x0000000000000000-mapping.dmp

Download
memory/3704-138-0x0000000000000000-mapping.dmp

Download
memory/3704-145-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3704-146-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4972-136-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4972-132-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads