njrat | 2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44

Analysis

max time kernel
190s
max time network
99s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
Size

265KB
MD5

651d5e0fa9831d092405b3ba6df39630
SHA1

520b5f8065faf48f5be9cd12b6790a5d08f24a30
SHA256

2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44
SHA512

2b27f11458d71210cd119eb879ec5280a5711bb379c9d8eb28d39892ed007c2f0e92dcb18234b581111a81abd2c1ceb98cccac6bf15b57bef784b237c7e2507f
SSDEEP

6144:lz+92mhAMJ/cPl3it8jT1cACTfgjdkA3Hj+6iTHpK1MiIa+HzS:lK2mhAMJ/cPlAK1kfgjdkA30K1MigH+

Score

10^/10

njrat h evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

tmeemwtr68.no-ip.biz:1168

Mutex

8fec47ea2031d7c684beb0d0a36361b8

Attributes

reg_key
8fec47ea2031d7c684beb0d0a36361b8
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

2.2.exe2.2.exewinlogon.exewinlogon.exe

pid process

1972 2.2.exe
1316 2.2.exe
1956 winlogon.exe
1776 winlogon.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1896 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

2.2.exewinlogon.exe

pid process

1316 2.2.exe
1956 winlogon.exe

pid	process
1972	2.2.exe
1316	2.2.exe
1956	winlogon.exe
1776	winlogon.exe

pid	process
1896	netsh.exe

pid	process
1316	2.2.exe
1956	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8fec47ea2031d7c684beb0d0a36361b8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\8fec47ea2031d7c684beb0d0a36361b8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2.2.exewinlogon.exe

description	pid	process	target process
PID 1972 set thread context of 1316	1972	2.2.exe	2.2.exe
PID 1956 set thread context of 1776	1956	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

winlogon.exe

pid	process
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe
1776	winlogon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2.2.exewinlogon.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 1972 2.2.exe
Token: SeDebugPrivilege 1956 winlogon.exe
Token: SeDebugPrivilege 1776 winlogon.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1744 DllHost.exe

description	pid	process
Token: SeDebugPrivilege	1972	2.2.exe
Token: SeDebugPrivilege	1956	winlogon.exe
Token: SeDebugPrivilege	1776	winlogon.exe

pid	process
1744	DllHost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe2.2.exe2.2.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1620 wrote to memory of 1972	1620	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1972 wrote to memory of 1316	1972	2.2.exe	2.2.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1316 wrote to memory of 1956	1316	2.2.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1956 wrote to memory of 1776	1956	winlogon.exe	winlogon.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe
PID 1776 wrote to memory of 1896	1776	winlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
"C:\Users\Admin\AppData\Local\Temp\2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\2.2.exe
"C:\2.2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\2.2.exe
C:\2.2.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\winlogon.exe
C:\Users\Admin\AppData\Roaming\winlogon.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:1896

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.2.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\2.2.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\2.2.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\414036360_f4da9b354c792fec4b118c9a555c34af.jpg
Filesize
3KB

MD5
1a9f08467b3ca5b904449a933115a792

SHA1
0ed405349f6ee6e0be507b8243152f00d3759934

SHA256
5f3f0c8d46508eeee84edb99080c6a6c3cce06dd69133206e387db14894e6f96

SHA512
2a02ad47cb6a194db5390265b5712810ff9f3a4ccda33b8022fcb543e3a22a6595f75b5c962e606614ab2bedea649cc7f86755c0a6f25f0192f38e4eb9a71b69

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
memory/1316-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-64-0x0000000000408B0E-mapping.dmp

Download
memory/1620-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1776-80-0x0000000000408B0E-mapping.dmp

Download
memory/1896-87-0x0000000000000000-mapping.dmp

Download
memory/1956-73-0x0000000000000000-mapping.dmp

Download
memory/1956-77-0x0000000001260000-0x00000000012C0000-memory.dmp

Filesize
384KB

Download
memory/1956-89-0x0000000004CC5000-0x0000000004CD6000-memory.dmp

Filesize
68KB

Download
memory/1972-62-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1972-60-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1972-71-0x0000000004D45000-0x0000000004D56000-memory.dmp

Filesize
68KB

Download
memory/1972-56-0x0000000000000000-mapping.dmp

Download