njrat | ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272

General

Target

ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
Size

44KB
MD5

10d10d703487f66c184aebcc89ee1cdc
SHA1

af4c294e54ed01d71e0ee1b33af9c1fee178ef73
SHA256

ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272
SHA512

f6b9714db6bec47229fd326d7ebcfac855a33e3a5f82429d04d34719276e18cb6d447c66ac364ec6dcc017ca529b7c0f31d9d4514769e839e7419f62e9741df3
SSDEEP

768:Os4UAZQv/27NYsDkfZPoIqlHepBKh0p29SgRcrsnWeDmtUov:OrU7m7N143wEKhG29jcrGBmUM

Score

10^/10

njrat system evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

system

C2

saadk.no-ip.biz:1177

Mutex

12ce4e06a81e8d54fd01d9b762f1b1bb

Attributes

reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Tempserver.exesystem.exe

pid process

840 Tempserver.exe
584 system.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1932 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exeTempserver.exe

pid process

1740 ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
840 Tempserver.exe

pid	process
840	Tempserver.exe
584	system.exe

pid	process
1932	netsh.exe

pid	process
1740	ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
840	Tempserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .."	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

system.exe

pid	process
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe
584	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 584 system.exe

description	pid	process
Token: SeDebugPrivilege	584	system.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exeTempserver.exesystem.exe

description	pid	process	target process
PID 1740 wrote to memory of 840	1740	ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe	Tempserver.exe
PID 1740 wrote to memory of 840	1740	ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe	Tempserver.exe
PID 1740 wrote to memory of 840	1740	ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe	Tempserver.exe
PID 1740 wrote to memory of 840	1740	ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe	Tempserver.exe
PID 840 wrote to memory of 584	840	Tempserver.exe	system.exe
PID 840 wrote to memory of 584	840	Tempserver.exe	system.exe
PID 840 wrote to memory of 584	840	Tempserver.exe	system.exe
PID 840 wrote to memory of 584	840	Tempserver.exe	system.exe
PID 584 wrote to memory of 1932	584	system.exe	netsh.exe
PID 584 wrote to memory of 1932	584	system.exe	netsh.exe
PID 584 wrote to memory of 1932	584	system.exe	netsh.exe
PID 584 wrote to memory of 1932	584	system.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe
"C:\Users\Admin\AppData\Local\Temp\ec11041c06713dab17cd1df70e30105ac07c23abf7f2db3a171aade56bc7f272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
\Users\Admin\AppData\Local\Tempserver.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
memory/584-62-0x0000000000000000-mapping.dmp

Download
memory/584-69-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/584-70-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/840-57-0x0000000000000000-mapping.dmp

Download
memory/840-66-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-54-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/1740-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1932-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads