njrat | bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c

Analysis

max time kernel
152s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
Size

135KB
MD5

5545ae28ff0bebf154aef083b82850b0
SHA1

475f7df3a0fd6c97fa5b3f7847e67e259f144cb5
SHA256

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c
SHA512

a6b1ba07a7a1786625dee19d412ed27e6ba4380f89c00681e662b4162f56d46527189f8a0d4e9962875360998be1e29fb654397e2534f60b777466d585ee451f
SSDEEP

3072:2nj9jtfU+INndIc0J45iTgmygDgRrmIWdoQGq00D:2jbeiVVDgRI3GqN

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

turkmurat.no-ip.org:1604

Mutex

632188ae0b130ac89e674b99bc07ac55

Attributes

reg_key
632188ae0b130ac89e674b99bc07ac55
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 8 IoCs

Processes:

B.exeB.exeB.exeB.exeserver.exeserver.exeserver.exeserver.exe

pid process

2740 B.exe
4360 B.exe
4624 B.exe
2240 B.exe
1132 server.exe
4120 server.exe
4648 server.exe
3664 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3688 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation B.exe

pid	process
2740	B.exe
4360	B.exe
4624	B.exe
2240	B.exe
1132	server.exe
4120	server.exe
4648	server.exe
3664	server.exe

pid	process
3688	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	B.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exeserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\632188ae0b130ac89e674b99bc07ac55 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\632188ae0b130ac89e674b99bc07ac55 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

B.exeserver.exe

description pid process target process

PID 2740 set thread context of 2240 2740 B.exe B.exe
PID 1132 set thread context of 3664 1132 server.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

B.exeserver.exe

pid process

2740 B.exe
2740 B.exe
1132 server.exe
1132 server.exe

description	pid	process	target process
PID 2740 set thread context of 2240	2740	B.exe	B.exe
PID 1132 set thread context of 3664	1132	server.exe	server.exe

pid	process
2740	B.exe
2740	B.exe
1132	server.exe
1132	server.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

B.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	2740	B.exe
Token: SeDebugPrivilege	1132	server.exe
Token: SeDebugPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe
Token: 33	3664	server.exe
Token: SeIncBasePriorityPrivilege	3664	server.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exeB.exeB.exeserver.exeserver.exe

description	pid	process	target process
PID 5080 wrote to memory of 2740	5080	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 5080 wrote to memory of 2740	5080	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 5080 wrote to memory of 2740	5080	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 2740 wrote to memory of 4360	2740	B.exe	B.exe
PID 2740 wrote to memory of 4360	2740	B.exe	B.exe
PID 2740 wrote to memory of 4360	2740	B.exe	B.exe
PID 2740 wrote to memory of 4624	2740	B.exe	B.exe
PID 2740 wrote to memory of 4624	2740	B.exe	B.exe
PID 2740 wrote to memory of 4624	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2740 wrote to memory of 2240	2740	B.exe	B.exe
PID 2240 wrote to memory of 1132	2240	B.exe	server.exe
PID 2240 wrote to memory of 1132	2240	B.exe	server.exe
PID 2240 wrote to memory of 1132	2240	B.exe	server.exe
PID 1132 wrote to memory of 4120	1132	server.exe	server.exe
PID 1132 wrote to memory of 4120	1132	server.exe	server.exe
PID 1132 wrote to memory of 4120	1132	server.exe	server.exe
PID 1132 wrote to memory of 4648	1132	server.exe	server.exe
PID 1132 wrote to memory of 4648	1132	server.exe	server.exe
PID 1132 wrote to memory of 4648	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 1132 wrote to memory of 3664	1132	server.exe	server.exe
PID 3664 wrote to memory of 3688	3664	server.exe	netsh.exe
PID 3664 wrote to memory of 3688	3664	server.exe	netsh.exe
PID 3664 wrote to memory of 3688	3664	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
"C:\Users\Admin\AppData\Local\Temp\bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    3⤵
    - Executes dropped EXE
    PID:4360
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    3⤵
    - Executes dropped EXE
    PID:4624
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        5⤵
        Executes dropped EXE
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        5⤵
        Executes dropped EXE
        
        PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CSIDL_

Filesize
64KB

MD5
fcf8da848c845080ab04a566acd93885

SHA1
2c20c067cf7fa01f55b903bdd6f90c639d8cb344

SHA256
a23200380432574ccf72fcd4f63769bc9b700c1c0f6dda9aad88b4331a2f25e8

SHA512
b0d0d078a2f32d102f7819ac0627c893f52f94b2dc1661836b8256029e902828e5f858bc7f4ff6189c2a2e28a9b1914c31cbbfda6105109c645e56ecae83376c

Download Submit
C:\Users\Admin\AppData\Local\CSIDL_X

Filesize
64KB

MD5
fcf8da848c845080ab04a566acd93885

SHA1
2c20c067cf7fa01f55b903bdd6f90c639d8cb344

SHA256
a23200380432574ccf72fcd4f63769bc9b700c1c0f6dda9aad88b4331a2f25e8

SHA512
b0d0d078a2f32d102f7819ac0627c893f52f94b2dc1661836b8256029e902828e5f858bc7f4ff6189c2a2e28a9b1914c31cbbfda6105109c645e56ecae83376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.ex_

Filesize
64KB

MD5
fcf8da848c845080ab04a566acd93885

SHA1
2c20c067cf7fa01f55b903bdd6f90c639d8cb344

SHA256
a23200380432574ccf72fcd4f63769bc9b700c1c0f6dda9aad88b4331a2f25e8

SHA512
b0d0d078a2f32d102f7819ac0627c893f52f94b2dc1661836b8256029e902828e5f858bc7f4ff6189c2a2e28a9b1914c31cbbfda6105109c645e56ecae83376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
memory/1132-147-0x0000000000000000-mapping.dmp

Download
memory/1132-164-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/1132-162-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/1132-161-0x00000000053F0000-0x00000000058BE000-memory.dmp

Filesize
4.8MB

Download
memory/2240-142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2240-146-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2240-150-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2240-141-0x0000000000000000-mapping.dmp

Download
memory/2740-144-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2740-145-0x0000000005940000-0x0000000005944000-memory.dmp

Filesize
16KB

Download
memory/2740-135-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2740-132-0x0000000000000000-mapping.dmp

Download
memory/3664-158-0x0000000000000000-mapping.dmp

Download
memory/3664-163-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3664-166-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3688-165-0x0000000000000000-mapping.dmp

Download
memory/4120-154-0x0000000000000000-mapping.dmp

Download
memory/4360-137-0x0000000000000000-mapping.dmp

Download
memory/4624-139-0x0000000000000000-mapping.dmp

Download
memory/4648-156-0x0000000000000000-mapping.dmp

Download