njrat | 5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191

General

Target

5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe
Size

29KB
MD5

42069907e8aea8dcff5427a86e729620
SHA1

ecd9f062e6f56145b9355c78ad4e8a162168ca09
SHA256

5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191
SHA512

83fb3ecc301a664d058a2bb39dc21b3e504ef6fb406cc1676e0c90368ec7a7807e5eeef6ea40832af3893f80c37c7f51c2acecb680132b29c623fb647bfd507a
SSDEEP

768:L+7hoKoGJFNK4Aq1RehBKh0p29SgR4bAs:K7hdKPg6KhG29j4bAs

Score

10^/10

njrat chrome evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

chrome

C2

127.0.0.1:1177

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes

reg_key
d5a38e9b5f206c41f8851bf04a251d26
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid process

1752 chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1512 netsh.exe

pid	process
1512	netsh.exe

Drops startup file 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe

Loads dropped DLL 1 IoCs

Processes:

5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe

pid process

1764 5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe

pid	process
1764	5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exe

pid	process
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe
1752	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 1752 chrome.exe

description	pid	process
Token: SeDebugPrivilege	1752	chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exechrome.exe

description	pid	process	target process
PID 1764 wrote to memory of 1752	1764	5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe	chrome.exe
PID 1764 wrote to memory of 1752	1764	5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe	chrome.exe
PID 1764 wrote to memory of 1752	1764	5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe	chrome.exe
PID 1764 wrote to memory of 1752	1764	5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe	chrome.exe
PID 1752 wrote to memory of 1512	1752	chrome.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	chrome.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	chrome.exe	netsh.exe
PID 1752 wrote to memory of 1512	1752	chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe
"C:\Users\Admin\AppData\Local\Temp\5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
29KB

MD5
42069907e8aea8dcff5427a86e729620

SHA1
ecd9f062e6f56145b9355c78ad4e8a162168ca09

SHA256
5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191

SHA512
83fb3ecc301a664d058a2bb39dc21b3e504ef6fb406cc1676e0c90368ec7a7807e5eeef6ea40832af3893f80c37c7f51c2acecb680132b29c623fb647bfd507a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
29KB

MD5
42069907e8aea8dcff5427a86e729620

SHA1
ecd9f062e6f56145b9355c78ad4e8a162168ca09

SHA256
5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191

SHA512
83fb3ecc301a664d058a2bb39dc21b3e504ef6fb406cc1676e0c90368ec7a7807e5eeef6ea40832af3893f80c37c7f51c2acecb680132b29c623fb647bfd507a

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
29KB

MD5
42069907e8aea8dcff5427a86e729620

SHA1
ecd9f062e6f56145b9355c78ad4e8a162168ca09

SHA256
5ae4bcbe93194d56a314afcf41d3c1ed96338bcd9a0d26d503d0f971bd519191

SHA512
83fb3ecc301a664d058a2bb39dc21b3e504ef6fb406cc1676e0c90368ec7a7807e5eeef6ea40832af3893f80c37c7f51c2acecb680132b29c623fb647bfd507a

Download Submit
memory/1512-62-0x0000000000000000-mapping.dmp

Download
memory/1752-57-0x0000000000000000-mapping.dmp

Download
memory/1752-64-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-65-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1764-55-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-61-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads