njrat | 4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871

General

Target

4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe
Size

148KB
MD5

038f46069d0a4f29ab44b7c766a173f0
SHA1

b066930a925f89d6a5da9b1cee4c806ff3c3119c
SHA256

4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871
SHA512

78cb743db6f324485234b0a82fb00ae2fbd5aa7375d9777b9897e57a0df82b0be14bc5b4d1e8a9ab265249c6dde9dec247a4b5f1fc71e6010f6881eaa25e5ca5
SSDEEP

3072:iUu32GhNvBO9qCDtLoosE/WIgU1/B65wYEPv6ANSzlWA9hFDZqz:iU82GhNpC2J47Z1/UeNNSzz5q

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

f974a60849f958b913754e5bb1f5dfce

Attributes

reg_key
f974a60849f958b913754e5bb1f5dfce
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2292	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 368 set thread context of 4172	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe
Token: SeDebugPrivilege	2292	winlogon.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 4172	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	87
PID 368 wrote to memory of 4172	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	87
PID 368 wrote to memory of 4172	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	87
PID 368 wrote to memory of 4172	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	87
PID 368 wrote to memory of 4172	368	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	87
PID 4172 wrote to memory of 2292	4172	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	89
PID 4172 wrote to memory of 2292	4172	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	89
PID 4172 wrote to memory of 2292	4172	4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe	89
PID 2292 wrote to memory of 4504	2292	winlogon.exe	90
PID 2292 wrote to memory of 4504	2292	winlogon.exe	90
PID 2292 wrote to memory of 4504	2292	winlogon.exe	90

C:\Users\Admin\AppData\Local\Temp\4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe
"C:\Users\Admin\AppData\Local\Temp\4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe
  C:\Users\Admin\AppData\Local\Temp\4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Roaming\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Roaming\winlogon.exe
      C:\Users\Admin\AppData\Roaming\winlogon.exe
      4⤵
      PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
148KB

MD5
038f46069d0a4f29ab44b7c766a173f0

SHA1
b066930a925f89d6a5da9b1cee4c806ff3c3119c

SHA256
4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871

SHA512
78cb743db6f324485234b0a82fb00ae2fbd5aa7375d9777b9897e57a0df82b0be14bc5b4d1e8a9ab265249c6dde9dec247a4b5f1fc71e6010f6881eaa25e5ca5

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
148KB

MD5
038f46069d0a4f29ab44b7c766a173f0

SHA1
b066930a925f89d6a5da9b1cee4c806ff3c3119c

SHA256
4a17f958979cdae4b705021e3fae91288d26e9f7a39d935f210325cae0505871

SHA512
78cb743db6f324485234b0a82fb00ae2fbd5aa7375d9777b9897e57a0df82b0be14bc5b4d1e8a9ab265249c6dde9dec247a4b5f1fc71e6010f6881eaa25e5ca5

Download Submit
memory/368-133-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/368-132-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/368-137-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/2292-143-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/2292-146-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/2292-144-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/4172-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4172-142-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/4172-138-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing