njrat | cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284

General

Target

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
Size

6KB
MD5

bf483dc9b494c3143835ec286c1c4360
SHA1

b3e6792d37d360bb28d37c25d44394e58f1d9b09
SHA256

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284
SHA512

f00e279b93014ee9284bb59f1cfdf0b9913a2745562dc0f389298ae654736572e98f2cca89b8925dddbf4a254680e53ce4827fb5fff654bb82a1a926bb5a1dce
SSDEEP

96:OKqxIGt9iNzw8IdvzrlsllTyQRx2/JwyruI+cZ3GnUODL:5qimu5ImllO4xIyyBxZv0

Score

10^/10

njrat update persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

update

C2

money2022.ddns.net:8080

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

1724 update.exe

pid	process
1724	update.exe

Drops startup file 1 IoCs

Processes:

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

Loads dropped DLL 1 IoCs

Processes:

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

pid process

1816 cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

pid	process
1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.execbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tcqjhjjt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hovpith\\Tcqjhjjt.exe\""	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

description	pid	process	target process
PID 1720 set thread context of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

960 powershell.exe
1760 powershell.exe

pid	process
960	powershell.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exepowershell.exeupdate.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1724	update.exe
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.execbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exeupdate.exe

description	pid	process	target process
PID 1720 wrote to memory of 960	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	powershell.exe
PID 1720 wrote to memory of 960	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	powershell.exe
PID 1720 wrote to memory of 960	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	powershell.exe
PID 1720 wrote to memory of 960	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	powershell.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1720 wrote to memory of 1816	1720	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 1724	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	update.exe
PID 1816 wrote to memory of 676	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	attrib.exe
PID 1816 wrote to memory of 676	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	attrib.exe
PID 1816 wrote to memory of 676	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	attrib.exe
PID 1816 wrote to memory of 676	1816	cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe	attrib.exe
PID 1724 wrote to memory of 1760	1724	update.exe	powershell.exe
PID 1724 wrote to memory of 1760	1724	update.exe	powershell.exe
PID 1724 wrote to memory of 1760	1724	update.exe	powershell.exe
PID 1724 wrote to memory of 1760	1724	update.exe	powershell.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

676 attrib.exe

pid	process
676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
"C:\Users\Admin\AppData\Local\Temp\cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
C:\Users\Admin\AppData\Local\Temp\cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284.exe
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\update.exe
"C:\Users\Admin\AppData\Roaming\update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"
3⤵
- Views/modifies file attributes
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9331e2836ec667870259c4dd1e13fc8d

SHA1
ef47bd38adfb392c65291f97e5048e2291d16e71

SHA256
b5864e09f1416fde4da1968292fba4b57080d405d8267ad074f6af3f85f42e69

SHA512
f012874ee68a49b029ec9224521e2eb736bb940f80945e62915af88bb06088d186acc560a462511573b517f49f8e8de5a0f74596e44504b9e7f34700c6232d17

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
Filesize
6KB

MD5
bf483dc9b494c3143835ec286c1c4360

SHA1
b3e6792d37d360bb28d37c25d44394e58f1d9b09

SHA256
cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284

SHA512
f00e279b93014ee9284bb59f1cfdf0b9913a2745562dc0f389298ae654736572e98f2cca89b8925dddbf4a254680e53ce4827fb5fff654bb82a1a926bb5a1dce

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
Filesize
6KB

MD5
bf483dc9b494c3143835ec286c1c4360

SHA1
b3e6792d37d360bb28d37c25d44394e58f1d9b09

SHA256
cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284

SHA512
f00e279b93014ee9284bb59f1cfdf0b9913a2745562dc0f389298ae654736572e98f2cca89b8925dddbf4a254680e53ce4827fb5fff654bb82a1a926bb5a1dce

Download Submit
\Users\Admin\AppData\Roaming\update.exe
Filesize
6KB

MD5
bf483dc9b494c3143835ec286c1c4360

SHA1
b3e6792d37d360bb28d37c25d44394e58f1d9b09

SHA256
cbb22c9a91a492cd4ed6aa9467fd525bd2e1776f66e9c726364e4d518a0af284

SHA512
f00e279b93014ee9284bb59f1cfdf0b9913a2745562dc0f389298ae654736572e98f2cca89b8925dddbf4a254680e53ce4827fb5fff654bb82a1a926bb5a1dce

Download Submit
memory/676-80-0x0000000000000000-mapping.dmp

Download
memory/960-61-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/960-59-0x0000000000000000-mapping.dmp

Download
memory/960-62-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/960-63-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-58-0x0000000004820000-0x00000000048B2000-memory.dmp

Filesize
584KB

Download
memory/1720-57-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/1720-56-0x0000000000620000-0x00000000006A8000-memory.dmp

Filesize
544KB

Download
memory/1720-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1720-54-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/1724-77-0x0000000000000000-mapping.dmp

Download
memory/1724-81-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/1760-83-0x0000000000000000-mapping.dmp

Download
memory/1760-86-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-87-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1816-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1816-70-0x000000000040837E-mapping.dmp

Download
memory/1816-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1816-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1816-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1816-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1816-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads