njrat | b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408

General

Target

b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
Size

714KB
MD5

631389d4701eddc61f6ae00662862840
SHA1

e58f715f156dd6d370d00ede130916dac4970eb1
SHA256

b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408
SHA512

ff71a4b7f29767ff8d32fc028495cb0c926201c784bae4cfa1b73b37eecfe6527377910fb41ca4968c61ed97c6023c806704ea9a401441c48eeb4647229e926b
SSDEEP

3072:VZaoTmaIsQ1azxNhCXf/l8cKTVwNU/eQSKqwpb289TkF/YyOQKcEcF8U41DLZ:qaIdMCX6c2a4lL

Score

10^/10

njrat zapto evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

zapto

C2

winupdat.zapto.org:1177

Mutex

247bc9bdf83cf5427d52fe8aceea6eef

Attributes

reg_key
247bc9bdf83cf5427d52fe8aceea6eef
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1348	LocaldDiJzyFqHz.exe
1876	winupdat.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1584	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\247bc9bdf83cf5427d52fe8aceea6eef.exe	winupdat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\247bc9bdf83cf5427d52fe8aceea6eef.exe	winupdat.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
1348	LocaldDiJzyFqHz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\247bc9bdf83cf5427d52fe8aceea6eef = "\"C:\\Users\\Admin\\AppData\\Roaming\\winupdat.exe\" .."	winupdat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\247bc9bdf83cf5427d52fe8aceea6eef = "\"C:\\Users\\Admin\\AppData\\Roaming\\winupdat.exe\" .."	winupdat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aRDQkwwu2LiP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aNBqvzoOK0m.exe"	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe
1876	winupdat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
Token: SeDebugPrivilege	1876	winupdat.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
960	DllHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28
PID 1280 wrote to memory of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28
PID 1280 wrote to memory of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28
PID 1280 wrote to memory of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28
PID 1280 wrote to memory of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28
PID 1280 wrote to memory of 1884	1280	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	28
PID 1884 wrote to memory of 1348	1884	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	29
PID 1884 wrote to memory of 1348	1884	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	29
PID 1884 wrote to memory of 1348	1884	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	29
PID 1884 wrote to memory of 1348	1884	b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe	29
PID 1348 wrote to memory of 1876	1348	LocaldDiJzyFqHz.exe	31
PID 1348 wrote to memory of 1876	1348	LocaldDiJzyFqHz.exe	31
PID 1348 wrote to memory of 1876	1348	LocaldDiJzyFqHz.exe	31
PID 1348 wrote to memory of 1876	1348	LocaldDiJzyFqHz.exe	31
PID 1876 wrote to memory of 1584	1876	winupdat.exe	32
PID 1876 wrote to memory of 1584	1876	winupdat.exe	32
PID 1876 wrote to memory of 1584	1876	winupdat.exe	32
PID 1876 wrote to memory of 1584	1876	winupdat.exe	32

C:\Users\Admin\AppData\Local\Temp\b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
"C:\Users\Admin\AppData\Local\Temp\b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
  C:\Users\Admin\AppData\Local\Temp\b69851b891452d0f3480538d1845afd0e6882414fe7fe429c6bfd028e1ca2408.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\LocaldDiJzyFqHz.exe
    "C:\Users\Admin\AppData\LocaldDiJzyFqHz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Roaming\winupdat.exe
      "C:\Users\Admin\AppData\Roaming\winupdat.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winupdat.exe" "winupdat.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocaldDiJzyFqHz.exe

Filesize
29KB

MD5
46515bf00ca454e16f7f57dfbdab4714

SHA1
b71514e3d80b19e838136db062be443bfc888d1a

SHA256
5dbb35a3d0ac54679cd11497d1f278fce76b70217a1f69e7de3e81ecce3451a2

SHA512
3ede236857157bc7839aa088f19d5357ea65a23454389cf16508979507aec20bbf480159939a7c33efb1a8ce697c6c8f7f31378940539219de104ae05c5f8822

Download Submit
C:\Users\Admin\AppData\LocaldDiJzyFqHz.exe

Filesize
29KB

MD5
46515bf00ca454e16f7f57dfbdab4714

SHA1
b71514e3d80b19e838136db062be443bfc888d1a

SHA256
5dbb35a3d0ac54679cd11497d1f278fce76b70217a1f69e7de3e81ecce3451a2

SHA512
3ede236857157bc7839aa088f19d5357ea65a23454389cf16508979507aec20bbf480159939a7c33efb1a8ce697c6c8f7f31378940539219de104ae05c5f8822

Download Submit
C:\Users\Admin\AppData\LocalwNdsMabYLC.jpg

Filesize
22KB

MD5
3ff7d135d8d321f1a6532eaf4f784759

SHA1
8971d545177bd6506db798b61dd35d5e1a9e6c1a

SHA256
b4168868cff3ee26ae1c9931de87217f8f538a17c06b78d30080bac7b53b44ed

SHA512
1e59d7e77b1c6e08de632eaa45aa0fdfa162d8eef61d8e29b99c025cf64f44e8a14e816e03fb202ee1851caf8d80c51d2677aa68fdba2607b2688f8709ab88ff

Download Submit
C:\Users\Admin\AppData\Roaming\winupdat.exe

Filesize
29KB

MD5
46515bf00ca454e16f7f57dfbdab4714

SHA1
b71514e3d80b19e838136db062be443bfc888d1a

SHA256
5dbb35a3d0ac54679cd11497d1f278fce76b70217a1f69e7de3e81ecce3451a2

SHA512
3ede236857157bc7839aa088f19d5357ea65a23454389cf16508979507aec20bbf480159939a7c33efb1a8ce697c6c8f7f31378940539219de104ae05c5f8822

Download Submit
C:\Users\Admin\AppData\Roaming\winupdat.exe

Filesize
29KB

MD5
46515bf00ca454e16f7f57dfbdab4714

SHA1
b71514e3d80b19e838136db062be443bfc888d1a

SHA256
5dbb35a3d0ac54679cd11497d1f278fce76b70217a1f69e7de3e81ecce3451a2

SHA512
3ede236857157bc7839aa088f19d5357ea65a23454389cf16508979507aec20bbf480159939a7c33efb1a8ce697c6c8f7f31378940539219de104ae05c5f8822

Download Submit
\Users\Admin\AppData\LocaldDiJzyFqHz.exe

Filesize
29KB

MD5
46515bf00ca454e16f7f57dfbdab4714

SHA1
b71514e3d80b19e838136db062be443bfc888d1a

SHA256
5dbb35a3d0ac54679cd11497d1f278fce76b70217a1f69e7de3e81ecce3451a2

SHA512
3ede236857157bc7839aa088f19d5357ea65a23454389cf16508979507aec20bbf480159939a7c33efb1a8ce697c6c8f7f31378940539219de104ae05c5f8822

Download Submit
\Users\Admin\AppData\Roaming\winupdat.exe

Filesize
29KB

MD5
46515bf00ca454e16f7f57dfbdab4714

SHA1
b71514e3d80b19e838136db062be443bfc888d1a

SHA256
5dbb35a3d0ac54679cd11497d1f278fce76b70217a1f69e7de3e81ecce3451a2

SHA512
3ede236857157bc7839aa088f19d5357ea65a23454389cf16508979507aec20bbf480159939a7c33efb1a8ce697c6c8f7f31378940539219de104ae05c5f8822

Download Submit
memory/1280-55-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-56-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1280-81-0x0000000004865000-0x0000000004876000-memory.dmp

Filesize
68KB

Download
memory/1280-77-0x0000000004865000-0x0000000004876000-memory.dmp

Filesize
68KB

Download
memory/1280-54-0x0000000000A40000-0x0000000000AF8000-memory.dmp

Filesize
736KB

Download
memory/1348-75-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-78-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-82-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1884-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1884-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing