njrat | 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

General

Target

0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
Size

752KB
MD5

9e6499f5082ed6f9111385c46b1d9ba4
SHA1

8f8c4979a3da04c7747554677936c219653f139f
SHA256

0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360
SHA512

d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc
SSDEEP

12288:zOGZcZxHMr1OaQzfa9dXJvKaoPRvYrySWx8Zwfi53QH/Wuo+0GMqM7Ffb5:zOGZiE1OJr6XJvKnZvaWxC3Mzo+nNe

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

umang.chickenkiller.com:553

Mutex

0353c9dc7f300a6eea7548de1eb123a5

Attributes

reg_key
0353c9dc7f300a6eea7548de1eb123a5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

winlogon.execsrss.exeserver.exe

pid process

536 winlogon.exe
1948 csrss.exe
1092 server.exe
Loads dropped DLL 4 IoCs

Processes:

winlogon.exewinlogon.exe

pid process

1744 winlogon.exe
1744 winlogon.exe
536 winlogon.exe
536 winlogon.exe

pid	process
536	winlogon.exe
1948	csrss.exe
1092	server.exe

pid	process
1744	winlogon.exe
1744	winlogon.exe
536	winlogon.exe
536	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winlogon.exe

description pid process target process

PID 1744 set thread context of 536 1744 winlogon.exe winlogon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1744 set thread context of 536	1744	winlogon.exe	winlogon.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.execsrss.exe

pid	process
892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
1744	winlogon.exe
1744	winlogon.exe
1744	winlogon.exe
1744	winlogon.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe
1948	csrss.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe

pid process

892 0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
Token: SeDebugPrivilege	1744	winlogon.exe
Token: SeDebugPrivilege	1744	winlogon.exe
Token: SeDebugPrivilege	1948	csrss.exe
Token: SeDebugPrivilege	1948	csrss.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 892 wrote to memory of 1744	892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe	winlogon.exe
PID 892 wrote to memory of 1744	892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe	winlogon.exe
PID 892 wrote to memory of 1744	892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe	winlogon.exe
PID 892 wrote to memory of 1744	892	0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 536	1744	winlogon.exe	winlogon.exe
PID 1744 wrote to memory of 1948	1744	winlogon.exe	csrss.exe
PID 1744 wrote to memory of 1948	1744	winlogon.exe	csrss.exe
PID 1744 wrote to memory of 1948	1744	winlogon.exe	csrss.exe
PID 1744 wrote to memory of 1948	1744	winlogon.exe	csrss.exe
PID 536 wrote to memory of 1092	536	winlogon.exe	server.exe
PID 536 wrote to memory of 1092	536	winlogon.exe	server.exe
PID 536 wrote to memory of 1092	536	winlogon.exe	server.exe
PID 536 wrote to memory of 1092	536	winlogon.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe
"C:\Users\Admin\AppData\Local\Temp\0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
PID:1092

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 536 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 536 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
723KB

MD5
c567398ab16e285b196729d8e8aad061

SHA1
d299cff6ba1533443efb0a97a0dfe6e44fae517b

SHA256
a62e846d6ad0bde506fe2917184e898e9df78cb60c4ce700e2cbfdfc8a280614

SHA512
48c31d5b69cd64420a3fb43bd46161f53dc30e64f57d2f487c247821951c11595147985fefd45af5138f96b2493bd0b302e793f6c920a74d65cef6334a1f3fe2

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
752KB

MD5
9e6499f5082ed6f9111385c46b1d9ba4

SHA1
8f8c4979a3da04c7747554677936c219653f139f

SHA256
0758802cb74e0411ae04d92413b2ef480be06d6c11992f9cad30f8285b1de360

SHA512
d4a3e875262b4edc5ae7d5bc038d2bb720f37aaa209144a0f5f1088f068bd51050e18ad4acda1daa2a903109d2308bd395b9bc8db40c292351d23f5f3afa71dc

Download Submit
memory/536-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-81-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/536-66-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-69-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-71-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-63-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-73-0x000000000040748E-mapping.dmp

Download
memory/536-64-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/892-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/892-60-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/892-57-0x00000000003C6000-0x00000000003D7000-memory.dmp

Filesize
68KB

Download
memory/892-56-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/892-55-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-93-0x0000000000000000-mapping.dmp

Download
memory/1744-62-0x00000000020C6000-0x00000000020D7000-memory.dmp

Filesize
68KB

Download
memory/1744-88-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-89-0x00000000020C6000-0x00000000020D7000-memory.dmp

Filesize
68KB

Download
memory/1744-80-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-61-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-58-0x0000000000000000-mapping.dmp

Download
memory/1948-90-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads