njrat | 6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0

General

Target

6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe
Size

89KB
MD5

6239221711b96ccb760da6c546f1fab0
SHA1

98b4bd309e1b7fe664b5061bb82c25882eb17aa2
SHA256

6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0
SHA512

d02ac1223946c4a8b6d1a8974088e5acaa73ba51bb6e5b52a8844cbd819dc3ecea070c959f9c26d400d8c5eea6b1858c1abd0e81a7039d3dc88ee600f72fe0fb
SSDEEP

384:d8aSyS9gB3Y1KIay2X8cLZI6XgxsGJVPpmRvR6JZlbw8hqIusZzZ9ZaByEA:e589tXvRpcnugwyEA

Score

10^/10

njrat ?????evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

?????

C2

BIG12.zapto.org:5552

Mutex

33c4c0825b0067c12434d0656e7cf5d6

Attributes

reg_key
33c4c0825b0067c12434d0656e7cf5d6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1276	chrome-update.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
228	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\33c4c0825b0067c12434d0656e7cf5d6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome-update.exe\" .."	chrome-update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\33c4c0825b0067c12434d0656e7cf5d6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome-update.exe\" .."	chrome-update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe
Token: 33	1276	chrome-update.exe
Token: SeIncBasePriorityPrivilege	1276	chrome-update.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1276	1604	6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe	87
PID 1604 wrote to memory of 1276	1604	6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe	87
PID 1604 wrote to memory of 1276	1604	6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe	87
PID 1276 wrote to memory of 228	1276	chrome-update.exe	90
PID 1276 wrote to memory of 228	1276	chrome-update.exe	90
PID 1276 wrote to memory of 228	1276	chrome-update.exe	90

C:\Users\Admin\AppData\Local\Temp\6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe
"C:\Users\Admin\AppData\Local\Temp\6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Roaming\chrome-update.exe
  "C:\Users\Admin\AppData\Roaming\chrome-update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\chrome-update.exe" "chrome-update.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\chrome-update.exe

Filesize
89KB

MD5
6239221711b96ccb760da6c546f1fab0

SHA1
98b4bd309e1b7fe664b5061bb82c25882eb17aa2

SHA256
6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0

SHA512
d02ac1223946c4a8b6d1a8974088e5acaa73ba51bb6e5b52a8844cbd819dc3ecea070c959f9c26d400d8c5eea6b1858c1abd0e81a7039d3dc88ee600f72fe0fb

Download Submit
C:\Users\Admin\AppData\Roaming\chrome-update.exe

Filesize
89KB

MD5
6239221711b96ccb760da6c546f1fab0

SHA1
98b4bd309e1b7fe664b5061bb82c25882eb17aa2

SHA256
6e652fbc4551ca4f71ee62ea06c4091d6ca20db62c8ac54837461bdddca60ee0

SHA512
d02ac1223946c4a8b6d1a8974088e5acaa73ba51bb6e5b52a8844cbd819dc3ecea070c959f9c26d400d8c5eea6b1858c1abd0e81a7039d3dc88ee600f72fe0fb

Download Submit
memory/1276-137-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1276-139-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1604-132-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1604-136-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing