njrat | 769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d

General

Target

769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
Size

40KB
MD5

76549b8baa923d9d124fce400c715f80
SHA1

58b2c7bb1fb4c0c931cca5c28b13bf7c604be0db
SHA256

769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d
SHA512

65b34b982745c291a3749250d1aaf43a1e72856166f09085f9e540f6ab3d63f4da692bab44f1d92257f47adbcf8517c2232d3a89a7f2addbbffdc7c73c22ceb0
SSDEEP

768:zu72rHLuCsVwWmd3pgEwJ+i/cEwZeHh29l:6sH5sVwWmdZHG+iEEwgH09l

Score

10^/10

njrat hacker evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hacker

C2

xxx99.zapto.org:88

Mutex

6f39b86be99d1b95bd864356980f5434

Attributes

reg_key
6f39b86be99d1b95bd864356980f5434
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

LG9NFELtAA4fSs0OcUn3.exesvchost.exe

pid process

292 LG9NFELtAA4fSs0OcUn3.exe
368 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

752 netsh.exe

pid	process
292	LG9NFELtAA4fSs0OcUn3.exe
368	svchost.exe

pid	process
752	netsh.exe

Loads dropped DLL 4 IoCs

Processes:

769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exeLG9NFELtAA4fSs0OcUn3.exe

pid	process
1528	769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
1528	769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
292	LG9NFELtAA4fSs0OcUn3.exe
292	LG9NFELtAA4fSs0OcUn3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe
Token: 33	368	svchost.exe
Token: SeIncBasePriorityPrivilege	368	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exeLG9NFELtAA4fSs0OcUn3.exesvchost.exe

description	pid	process	target process
PID 1528 wrote to memory of 292	1528	769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe	LG9NFELtAA4fSs0OcUn3.exe
PID 1528 wrote to memory of 292	1528	769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe	LG9NFELtAA4fSs0OcUn3.exe
PID 1528 wrote to memory of 292	1528	769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe	LG9NFELtAA4fSs0OcUn3.exe
PID 1528 wrote to memory of 292	1528	769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe	LG9NFELtAA4fSs0OcUn3.exe
PID 292 wrote to memory of 368	292	LG9NFELtAA4fSs0OcUn3.exe	svchost.exe
PID 292 wrote to memory of 368	292	LG9NFELtAA4fSs0OcUn3.exe	svchost.exe
PID 292 wrote to memory of 368	292	LG9NFELtAA4fSs0OcUn3.exe	svchost.exe
PID 292 wrote to memory of 368	292	LG9NFELtAA4fSs0OcUn3.exe	svchost.exe
PID 368 wrote to memory of 752	368	svchost.exe	netsh.exe
PID 368 wrote to memory of 752	368	svchost.exe	netsh.exe
PID 368 wrote to memory of 752	368	svchost.exe	netsh.exe
PID 368 wrote to memory of 752	368	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe
"C:\Users\Admin\AppData\Local\Temp\769cc15b10655af128f470fafa6fcd9b674866471d961077364ebf0a879ffa0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe
"C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
C:\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
\Users\Admin\AppData\Roaming\LG9NFELtAA4fSs0OcUn3.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
22KB

MD5
425ba8dbb73b62d374597c2d21711632

SHA1
21b7491b1ff64abf6dcdfdcefa7edf31227cf8cb

SHA256
93c1d2719c2c77db65b49ccd71c23cfea916bc214b83e2b5178596b22dd5f805

SHA512
5594554ade5c690626b7331d256891920833f1bedfc8a68e97a4c4bc5fae268213d93054aa35e847da7e71a5c4b15ce1259407c2e418967247fd8d39f9c04742

Download Submit
memory/292-69-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/292-62-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/292-57-0x0000000000000000-mapping.dmp

Download
memory/368-65-0x0000000000000000-mapping.dmp

Download
memory/368-70-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/368-73-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/752-71-0x0000000000000000-mapping.dmp

Download
memory/1528-61-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads