njrat | fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5

General

Target

PO_Order_938340.exe
Size

10KB
MD5

8b482947f8aa69e7f21bb5d51c363135
SHA1

c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f
SHA256

fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5
SHA512

766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5
SSDEEP

192:b0EWlq8R7nEywHjhqfLL9ONRjKdg8stYcFmVc03KY:b0EWlq+7EywHkfLL9ONRCgptYcFmVc06

Score

10^/10

njrat update persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

update

C2

money2022.ddns.net:8080

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

704 update.exe
Drops startup file 1 IoCs

Processes:

PO_Order_938340.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk PO_Order_938340.exe
Loads dropped DLL 1 IoCs

Processes:

PO_Order_938340.exe

pid process

1916 PO_Order_938340.exe

pid	process
704	update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	PO_Order_938340.exe

pid	process
1916	PO_Order_938340.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO_Order_938340.exePO_Order_938340.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ohtshj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cuyus\\Ohtshj.exe\""	PO_Order_938340.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	PO_Order_938340.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO_Order_938340.exe

description pid process target process

PID 1088 set thread context of 1916 1088 PO_Order_938340.exe PO_Order_938340.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2040 powershell.exe
1532 powershell.exe

description	pid	process	target process
PID 1088 set thread context of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe

pid	process
2040	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO_Order_938340.exepowershell.exeupdate.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1088	PO_Order_938340.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	704	update.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

PO_Order_938340.exePO_Order_938340.exeupdate.exe

description	pid	process	target process
PID 1088 wrote to memory of 2040	1088	PO_Order_938340.exe	powershell.exe
PID 1088 wrote to memory of 2040	1088	PO_Order_938340.exe	powershell.exe
PID 1088 wrote to memory of 2040	1088	PO_Order_938340.exe	powershell.exe
PID 1088 wrote to memory of 2040	1088	PO_Order_938340.exe	powershell.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1088 wrote to memory of 1916	1088	PO_Order_938340.exe	PO_Order_938340.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 704	1916	PO_Order_938340.exe	update.exe
PID 1916 wrote to memory of 1560	1916	PO_Order_938340.exe	attrib.exe
PID 1916 wrote to memory of 1560	1916	PO_Order_938340.exe	attrib.exe
PID 1916 wrote to memory of 1560	1916	PO_Order_938340.exe	attrib.exe
PID 1916 wrote to memory of 1560	1916	PO_Order_938340.exe	attrib.exe
PID 704 wrote to memory of 1532	704	update.exe	powershell.exe
PID 704 wrote to memory of 1532	704	update.exe	powershell.exe
PID 704 wrote to memory of 1532	704	update.exe	powershell.exe
PID 704 wrote to memory of 1532	704	update.exe	powershell.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1560 attrib.exe

pid	process
1560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe
"C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe
C:\Users\Admin\AppData\Local\Temp\PO_Order_938340.exe
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\update.exe
"C:\Users\Admin\AppData\Roaming\update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"
3⤵
- Views/modifies file attributes
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
61ccfb904e2c4c4ec98c0110a941276a

SHA1
80cd53158688f3f4cd56615fad51bcff15739581

SHA256
1e24c98fd4275062fda5a47af4d3a59a4aca7dd4edac58515cca8ed97fd8c5e8

SHA512
0b137e6350e4d41e6fb025591aa7296c6b3571b525bab7e741849749bcc023f15761bdd96669e5272426fca45d6e70097b01047f07e9918d44119a9875c22bce

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
Filesize
10KB

MD5
8b482947f8aa69e7f21bb5d51c363135

SHA1
c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f

SHA256
fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5

SHA512
766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
Filesize
10KB

MD5
8b482947f8aa69e7f21bb5d51c363135

SHA1
c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f

SHA256
fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5

SHA512
766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5

Download Submit
\Users\Admin\AppData\Roaming\update.exe
Filesize
10KB

MD5
8b482947f8aa69e7f21bb5d51c363135

SHA1
c69562bcff1e0b2805ae38be46ec5f54bd2f6e6f

SHA256
fe131007f2c005a4141d5febb5b029bdabe5fc18de34edc10a8e98569e1ce8d5

SHA512
766ade825736e72728767aea49aa184730a8ec39e8ff7559052d801273bd3eb85da3163b4c9979ab56cdc3d7e013fd224b141da477b36ee633028543cc9902e5

Download Submit
memory/704-75-0x0000000000000000-mapping.dmp

Download
memory/704-78-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1088-55-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x0000000007E00000-0x0000000007FF4000-memory.dmp

Filesize
2.0MB

Download
memory/1088-54-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1532-85-0x000000006F050000-0x000000006F5FB000-memory.dmp

Filesize
5.7MB

Download
memory/1532-81-0x0000000000000000-mapping.dmp

Download
memory/1532-84-0x000000006F050000-0x000000006F5FB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-79-0x0000000000000000-mapping.dmp

Download
memory/1916-68-0x000000000040837E-mapping.dmp

Download
memory/1916-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1916-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1916-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1916-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1916-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1916-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1916-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-61-0x000000006F600000-0x000000006FBAB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-60-0x000000006F600000-0x000000006FBAB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-59-0x000000006F600000-0x000000006FBAB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads