njrat | 8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd

Analysis

max time kernel
150s
max time network
85s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe
Size

82KB
MD5

6c670d327ca3c047dd87e04519adad30
SHA1

fd6f02ad9dee2457ee8bbefceeaa437bee636fd2
SHA256

8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd
SHA512

f0d1a41904b80e358c041d4b54d28a56e7dd7f6eb12d64deff091508b493f3fcd4c02a4d675f1e1cdee9dd929e8ed779761ef578c4c8944749bb80233c783451
SSDEEP

1536:KfcJmBgWnjIJSZwlB2hBjsV+1q51ALBYU:KcugiIRB2jKU

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

anwarmaxa.no-ip.biz:4498

Mutex

abc4c646bbdae26ea820ad4be4d0c672

Attributes

reg_key
abc4c646bbdae26ea820ad4be4d0c672
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1864	explorer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1712	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
1880	8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	explorer.exe
Token: 33	1864	explorer.exe
Token: SeIncBasePriorityPrivilege	1864	explorer.exe
Token: 33	1864	explorer.exe
Token: SeIncBasePriorityPrivilege	1864	explorer.exe
Token: 33	1864	explorer.exe
Token: SeIncBasePriorityPrivilege	1864	explorer.exe
Token: 33	1864	explorer.exe
Token: SeIncBasePriorityPrivilege	1864	explorer.exe
Token: 33	1864	explorer.exe
Token: SeIncBasePriorityPrivilege	1864	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1864	1880	8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe	27
PID 1880 wrote to memory of 1864	1880	8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe	27
PID 1880 wrote to memory of 1864	1880	8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe	27
PID 1880 wrote to memory of 1864	1880	8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe	27
PID 1864 wrote to memory of 1712	1864	explorer.exe	28
PID 1864 wrote to memory of 1712	1864	explorer.exe	28
PID 1864 wrote to memory of 1712	1864	explorer.exe	28
PID 1864 wrote to memory of 1712	1864	explorer.exe	28

C:\Users\Admin\AppData\Local\Temp\8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe
"C:\Users\Admin\AppData\Local\Temp\8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
82KB

MD5
6c670d327ca3c047dd87e04519adad30

SHA1
fd6f02ad9dee2457ee8bbefceeaa437bee636fd2

SHA256
8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd

SHA512
f0d1a41904b80e358c041d4b54d28a56e7dd7f6eb12d64deff091508b493f3fcd4c02a4d675f1e1cdee9dd929e8ed779761ef578c4c8944749bb80233c783451

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
82KB

MD5
6c670d327ca3c047dd87e04519adad30

SHA1
fd6f02ad9dee2457ee8bbefceeaa437bee636fd2

SHA256
8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd

SHA512
f0d1a41904b80e358c041d4b54d28a56e7dd7f6eb12d64deff091508b493f3fcd4c02a4d675f1e1cdee9dd929e8ed779761ef578c4c8944749bb80233c783451

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
82KB

MD5
6c670d327ca3c047dd87e04519adad30

SHA1
fd6f02ad9dee2457ee8bbefceeaa437bee636fd2

SHA256
8e76fd1b71135c84d74fb41915f637309b9584b6565886f5f26cdf142df114cd

SHA512
f0d1a41904b80e358c041d4b54d28a56e7dd7f6eb12d64deff091508b493f3fcd4c02a4d675f1e1cdee9dd929e8ed779761ef578c4c8944749bb80233c783451

Download Submit
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1864-58-0x0000000000000000-mapping.dmp

Download
memory/1864-61-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/1880-54-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1880-55-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1880-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download