njrat | 3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8

General

Target

3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe
Size

23KB
MD5

b22fa080349fa5de36f85319c60f08f4
SHA1

3d60153a988292a2b33b1ba23ef2c87861ddf9b2
SHA256

3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8
SHA512

a4ffdc0e55160c73f9a2e782c67c0b9d75d6cbf854512c340142e6f76ebca774e99f095c584aa5c02201eb99da7902831c288af8153e30ed13b354ee4eac94f4
SSDEEP

384:pbY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZY7qq:pkL2s+tRyRpcnuX7p

Score

10^/10

njrat nofa evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

nofa

C2

isuero.no-ip.info:1990

Mutex

b3d7dfeb8fa6d1f91b465daac2597bd1

Attributes

reg_key
b3d7dfeb8fa6d1f91b465daac2597bd1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

proseseur.exe

pid process

2016 proseseur.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

956 netsh.exe

pid	process
2016	proseseur.exe

pid	process
956	netsh.exe

Drops startup file 2 IoCs

Processes:

proseseur.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3d7dfeb8fa6d1f91b465daac2597bd1.exe	proseseur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3d7dfeb8fa6d1f91b465daac2597bd1.exe	proseseur.exe

Loads dropped DLL 1 IoCs

Processes:

3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe

pid process

1744 3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe

pid	process
1744	3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

proseseur.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\b3d7dfeb8fa6d1f91b465daac2597bd1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\proseseur.exe\" .."	proseseur.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b3d7dfeb8fa6d1f91b465daac2597bd1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\proseseur.exe\" .."	proseseur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

proseseur.exe

description	pid	process
Token: SeDebugPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe
Token: 33	2016	proseseur.exe
Token: SeIncBasePriorityPrivilege	2016	proseseur.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exeproseseur.exe

description	pid	process	target process
PID 1744 wrote to memory of 2016	1744	3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe	proseseur.exe
PID 1744 wrote to memory of 2016	1744	3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe	proseseur.exe
PID 1744 wrote to memory of 2016	1744	3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe	proseseur.exe
PID 1744 wrote to memory of 2016	1744	3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe	proseseur.exe
PID 2016 wrote to memory of 956	2016	proseseur.exe	netsh.exe
PID 2016 wrote to memory of 956	2016	proseseur.exe	netsh.exe
PID 2016 wrote to memory of 956	2016	proseseur.exe	netsh.exe
PID 2016 wrote to memory of 956	2016	proseseur.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe
"C:\Users\Admin\AppData\Local\Temp\3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\proseseur.exe
"C:\Users\Admin\AppData\Local\Temp\proseseur.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\proseseur.exe" "proseseur.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\proseseur.exe

Filesize
23KB

MD5
b22fa080349fa5de36f85319c60f08f4

SHA1
3d60153a988292a2b33b1ba23ef2c87861ddf9b2

SHA256
3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8

SHA512
a4ffdc0e55160c73f9a2e782c67c0b9d75d6cbf854512c340142e6f76ebca774e99f095c584aa5c02201eb99da7902831c288af8153e30ed13b354ee4eac94f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\proseseur.exe

Filesize
23KB

MD5
b22fa080349fa5de36f85319c60f08f4

SHA1
3d60153a988292a2b33b1ba23ef2c87861ddf9b2

SHA256
3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8

SHA512
a4ffdc0e55160c73f9a2e782c67c0b9d75d6cbf854512c340142e6f76ebca774e99f095c584aa5c02201eb99da7902831c288af8153e30ed13b354ee4eac94f4

Download Submit
\Users\Admin\AppData\Local\Temp\proseseur.exe

Filesize
23KB

MD5
b22fa080349fa5de36f85319c60f08f4

SHA1
3d60153a988292a2b33b1ba23ef2c87861ddf9b2

SHA256
3b669e517bce725d2f748bf2f19d5b3ac413a392a8348c8ac6005b3470746dd8

SHA512
a4ffdc0e55160c73f9a2e782c67c0b9d75d6cbf854512c340142e6f76ebca774e99f095c584aa5c02201eb99da7902831c288af8153e30ed13b354ee4eac94f4

Download Submit
memory/956-63-0x0000000000000000-mapping.dmp

Download
memory/1744-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1744-55-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-61-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-57-0x0000000000000000-mapping.dmp

Download
memory/2016-62-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-65-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads