njrat | 9957b4a7b35663a3f3d10eb32cbf64a84a9eef93a913d55e579acad935a74eec

Analysis

max time kernel
150s
max time network
99s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/11/2022, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation List_0348.exe
Size

6KB
MD5

53e70bf3a2964e9c086d8ea3ac0daddf
SHA1

82c8534e7cf0cf7d899d5871d0da82ba9c875f3b
SHA256

246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541
SHA512

74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b
SSDEEP

96:XVuqNek+1LnGPL5RT2SzLAEy/tnp347KVYzNt:wH1Lqh2SzLAEUNR4g6

Score

10^/10

njrat update persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

update

money2022.ddns.net:8080

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1344	update.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Quotation List_0348.exe

Loads dropped DLL 1 IoCs

pid	Process
976	Quotation List_0348.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nkeqx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fckiqk\\Nkeqx.exe\""	Quotation List_0348.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	Quotation List_0348.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 976	1972	Quotation List_0348.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
988	powershell.exe
1972	Quotation List_0348.exe
1672	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	Quotation List_0348.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1344	update.exe
Token: SeDebugPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 988	1972	Quotation List_0348.exe	27
PID 1972 wrote to memory of 988	1972	Quotation List_0348.exe	27
PID 1972 wrote to memory of 988	1972	Quotation List_0348.exe	27
PID 1972 wrote to memory of 988	1972	Quotation List_0348.exe	27
PID 1972 wrote to memory of 1404	1972	Quotation List_0348.exe	29
PID 1972 wrote to memory of 1404	1972	Quotation List_0348.exe	29
PID 1972 wrote to memory of 1404	1972	Quotation List_0348.exe	29
PID 1972 wrote to memory of 1404	1972	Quotation List_0348.exe	29
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 1972 wrote to memory of 976	1972	Quotation List_0348.exe	30
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 1344	976	Quotation List_0348.exe	31
PID 976 wrote to memory of 364	976	Quotation List_0348.exe	32
PID 976 wrote to memory of 364	976	Quotation List_0348.exe	32
PID 976 wrote to memory of 364	976	Quotation List_0348.exe	32
PID 976 wrote to memory of 364	976	Quotation List_0348.exe	32
PID 1344 wrote to memory of 1672	1344	update.exe	34
PID 1344 wrote to memory of 1672	1344	update.exe	34
PID 1344 wrote to memory of 1672	1344	update.exe	34
PID 1344 wrote to memory of 1672	1344	update.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
364	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
  2⤵
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Roaming\update.exe
    "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Views/modifies file attributes
    PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
33b6647aac585dac651de8a32f421d31

SHA1
0b7b6ebbcf2557b8b1aecdf286b6bcea26074f60

SHA256
85870715e640843a3249fde91c2054ddeb384fdc4a4fc9c6ec42826800188c73

SHA512
5a7d61e88a6587b73ae145bb49b252d01bc9f82858b97cff3e258d7701d94e843ac98542b24b8ea889b260eaf7695449bac86f9826f8265396b4cf60d4a4b232

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
6KB

MD5
53e70bf3a2964e9c086d8ea3ac0daddf

SHA1
82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

SHA256
246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

SHA512
74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
6KB

MD5
53e70bf3a2964e9c086d8ea3ac0daddf

SHA1
82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

SHA256
246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

SHA512
74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

Download Submit
\Users\Admin\AppData\Roaming\update.exe

Filesize
6KB

MD5
53e70bf3a2964e9c086d8ea3ac0daddf

SHA1
82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

SHA256
246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

SHA512
74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

Download Submit
memory/976-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/988-61-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/988-60-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/988-59-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/1344-79-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1672-84-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-85-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-86-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-54-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1972-56-0x0000000006B00000-0x0000000006D12000-memory.dmp

Filesize
2.1MB

Download
memory/1972-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download