njrat | 844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2

General

Target

844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe
Size

44KB
MD5

153dcd0e625490624c25349d8f533d40
SHA1

cd1e2d8447dc62011af02b4f2cc62c3fef974bde
SHA256

844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2
SHA512

4573d2ec1837d6eceefd43db04622312ab21b985a14e025a48da94b7958e22f9f1c1ba17fa1bc6ca8fd1bab0f64c308e1c9d5a101687752cce44d1c0211c4b33
SSDEEP

768:fgGwN4wX8gcuYfm5njMxGaxEv6ZiRIcHe9yWOF6:ox6MYf0QGYESpj7OM

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dodo654.no-ip.biz:2015

Mutex

d2c6385919c8311aa256fd6debafb1b2

Attributes

reg_key
d2c6385919c8311aa256fd6debafb1b2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
4644	server.exe
3836	server.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4428	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2c6385919c8311aa256fd6debafb1b2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d2c6385919c8311aa256fd6debafb1b2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3888 set thread context of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 4644 set thread context of 3836	4644	server.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe
Token: SeDebugPrivilege	4644	server.exe
Token: SeDebugPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe
Token: 33	3836	server.exe
Token: SeIncBasePriorityPrivilege	3836	server.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 3888 wrote to memory of 4964	3888	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	89
PID 4964 wrote to memory of 4644	4964	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	90
PID 4964 wrote to memory of 4644	4964	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	90
PID 4964 wrote to memory of 4644	4964	844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe	90
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 4644 wrote to memory of 3836	4644	server.exe	91
PID 3836 wrote to memory of 4428	3836	server.exe	92
PID 3836 wrote to memory of 4428	3836	server.exe	92
PID 3836 wrote to memory of 4428	3836	server.exe	92

C:\Users\Admin\AppData\Local\Temp\844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe
"C:\Users\Admin\AppData\Local\Temp\844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe
  C:\Users\Admin\AppData\Local\Temp\844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\server.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
44KB

MD5
153dcd0e625490624c25349d8f533d40

SHA1
cd1e2d8447dc62011af02b4f2cc62c3fef974bde

SHA256
844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2

SHA512
4573d2ec1837d6eceefd43db04622312ab21b985a14e025a48da94b7958e22f9f1c1ba17fa1bc6ca8fd1bab0f64c308e1c9d5a101687752cce44d1c0211c4b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
44KB

MD5
153dcd0e625490624c25349d8f533d40

SHA1
cd1e2d8447dc62011af02b4f2cc62c3fef974bde

SHA256
844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2

SHA512
4573d2ec1837d6eceefd43db04622312ab21b985a14e025a48da94b7958e22f9f1c1ba17fa1bc6ca8fd1bab0f64c308e1c9d5a101687752cce44d1c0211c4b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
44KB

MD5
153dcd0e625490624c25349d8f533d40

SHA1
cd1e2d8447dc62011af02b4f2cc62c3fef974bde

SHA256
844332bb0ce186ebc99222299600233f8d666cb07a29cbb6ed8b892cb2cad1a2

SHA512
4573d2ec1837d6eceefd43db04622312ab21b985a14e025a48da94b7958e22f9f1c1ba17fa1bc6ca8fd1bab0f64c308e1c9d5a101687752cce44d1c0211c4b33

Download Submit
memory/3836-153-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3836-151-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3888-137-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3888-133-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3888-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4644-150-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4644-145-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4644-144-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4964-143-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4964-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4964-136-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4964-138-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing