njrat | afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5

General

Target

afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe
Size

32KB
MD5

90f5a408048f5bd6803a98331cded120
SHA1

a9ccc979131258242d80d3dbab2c41fb3d7511ed
SHA256

afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5
SHA512

45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3
SSDEEP

768:UfLjXHlL0vNcof4t08X+dk4FglrAHhd0AQvxCx:UfH3lLY4L4kWnusx

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

loaimajdi.no-ip.biz:5552

Mutex

10ce81ee12043fcd07c0abe92db49633

Attributes

reg_key
10ce81ee12043fcd07c0abe92db49633
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

internet downlood manger.exe

pid process

1404 internet downlood manger.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2020 netsh.exe

pid	process
1404	internet downlood manger.exe

pid	process
2020	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

internet downlood manger.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\10ce81ee12043fcd07c0abe92db49633 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\internet downlood manger.exe\" .."	internet downlood manger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10ce81ee12043fcd07c0abe92db49633 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\internet downlood manger.exe\" .."	internet downlood manger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

internet downlood manger.exe

description	pid	process
Token: SeDebugPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe
Token: 33	1404	internet downlood manger.exe
Token: SeIncBasePriorityPrivilege	1404	internet downlood manger.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exeinternet downlood manger.exe

description	pid	process	target process
PID 1412 wrote to memory of 1404	1412	afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe	internet downlood manger.exe
PID 1412 wrote to memory of 1404	1412	afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe	internet downlood manger.exe
PID 1412 wrote to memory of 1404	1412	afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe	internet downlood manger.exe
PID 1404 wrote to memory of 2020	1404	internet downlood manger.exe	netsh.exe
PID 1404 wrote to memory of 2020	1404	internet downlood manger.exe	netsh.exe
PID 1404 wrote to memory of 2020	1404	internet downlood manger.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe
"C:\Users\Admin\AppData\Local\Temp\afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe
"C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe" "internet downlood manger.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe
Filesize
32KB

MD5
90f5a408048f5bd6803a98331cded120

SHA1
a9ccc979131258242d80d3dbab2c41fb3d7511ed

SHA256
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5

SHA512
45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\internet downlood manger.exe
Filesize
32KB

MD5
90f5a408048f5bd6803a98331cded120

SHA1
a9ccc979131258242d80d3dbab2c41fb3d7511ed

SHA256
afd826e3d09b5b147d9dc2874d159d4e066e633cfda82dac9c941e4df3c929d5

SHA512
45c9925826c9e7ee7490b01c12808798997501961984be4c2ccc2764664122ec056e35e2a13fe50c056c929a7a65b5a54138630705779c965797698955875ad3

Download Submit
memory/1404-58-0x0000000000000000-mapping.dmp

Download
memory/1404-61-0x0000000001320000-0x000000000132E000-memory.dmp

Filesize
56KB

Download
memory/1412-54-0x0000000000D10000-0x0000000000D1E000-memory.dmp

Filesize
56KB

Download
memory/1412-55-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1412-56-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1412-57-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads