njrat | 486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3

General

Target

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
Size

320KB
MD5

67c17d16cda6cdabd9b3e4d5bd0f9a30
SHA1

fe9d1dc96b44fae3cd06b4db3447f61bcc93262b
SHA256

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3
SHA512

30525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107
SSDEEP

6144:PMOhqDDjBG3q28TKH3kdULeaSqVig4D033ziJztkIMao:PMO+PBA85tkIMa

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

ahmedgaradi55.zapto.org:1177

Mutex

cd9343d50c47eda1c5088069633d7730

Attributes

reg_key
cd9343d50c47eda1c5088069633d7730
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

hg.exehg.exe

pid process

3928 hg.exe
2112 hg.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3736 netsh.exe

pid	process
3928	hg.exe
2112	hg.exe

pid	process
3736	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd9343d50c47eda1c5088069633d7730 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hg.exe\" .."	hg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cd9343d50c47eda1c5088069633d7730 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hg.exe\" .."	hg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exe

description	pid	process	target process
PID 2160 set thread context of 2032	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
PID 3928 set thread context of 2112	3928	hg.exe	hg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exe

pid	process
2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
3928	hg.exe
3928	hg.exe
3928	hg.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exehg.exe

description	pid	process
Token: SeDebugPrivilege	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
Token: SeDebugPrivilege	3928	hg.exe
Token: SeDebugPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe
Token: 33	2112	hg.exe
Token: SeIncBasePriorityPrivilege	2112	hg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exehg.exehg.exe

description	pid	process	target process
PID 2160 wrote to memory of 2032	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
PID 2160 wrote to memory of 2032	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
PID 2160 wrote to memory of 2032	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
PID 2160 wrote to memory of 2032	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
PID 2160 wrote to memory of 2032	2160	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
PID 2032 wrote to memory of 3928	2032	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	hg.exe
PID 2032 wrote to memory of 3928	2032	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	hg.exe
PID 2032 wrote to memory of 3928	2032	486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe	hg.exe
PID 3928 wrote to memory of 2112	3928	hg.exe	hg.exe
PID 3928 wrote to memory of 2112	3928	hg.exe	hg.exe
PID 3928 wrote to memory of 2112	3928	hg.exe	hg.exe
PID 3928 wrote to memory of 2112	3928	hg.exe	hg.exe
PID 3928 wrote to memory of 2112	3928	hg.exe	hg.exe
PID 2112 wrote to memory of 3736	2112	hg.exe	netsh.exe
PID 2112 wrote to memory of 3736	2112	hg.exe	netsh.exe
PID 2112 wrote to memory of 3736	2112	hg.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
"C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
C:\Users\Admin\AppData\Local\Temp\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\hg.exe
"C:\Users\Admin\AppData\Local\Temp\hg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\hg.exe
C:\Users\Admin\AppData\Local\Temp\hg.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hg.exe" "hg.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3.exe.log
Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hg.exe
Filesize
320KB

MD5
67c17d16cda6cdabd9b3e4d5bd0f9a30

SHA1
fe9d1dc96b44fae3cd06b4db3447f61bcc93262b

SHA256
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3

SHA512
30525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107

Download Submit
C:\Users\Admin\AppData\Local\Temp\hg.exe
Filesize
320KB

MD5
67c17d16cda6cdabd9b3e4d5bd0f9a30

SHA1
fe9d1dc96b44fae3cd06b4db3447f61bcc93262b

SHA256
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3

SHA512
30525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107

Download Submit
C:\Users\Admin\AppData\Local\Temp\hg.exe
Filesize
320KB

MD5
67c17d16cda6cdabd9b3e4d5bd0f9a30

SHA1
fe9d1dc96b44fae3cd06b4db3447f61bcc93262b

SHA256
486a93bc98a58d3e88d4c491c15b1ab8f331efdf8206fa0e5d4f52754abf01e3

SHA512
30525df3a7c45e93f77acebdfddc73bf01726725dd7f719f046c3502a002fc376e7c3c2d5db2774b151bdaa2b99549e0dbf96242d26e1ee7973678b9a3f26107

Download Submit
memory/2032-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-137-0x0000000000000000-mapping.dmp

Download
memory/2112-143-0x0000000000000000-mapping.dmp

Download
memory/2160-132-0x00000000008B0000-0x0000000000906000-memory.dmp

Filesize
344KB

Download
memory/2160-136-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/2160-135-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/2160-134-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/2160-133-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/3736-146-0x0000000000000000-mapping.dmp

Download
memory/3928-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads