njrat | 85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101

General

Target

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Size

56KB
MD5

6ec722039c95fda117a7a8e37057c689
SHA1

924187760a08fe76aca2c83d222009f4310a9736
SHA256

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101
SHA512

4d3e947a4a7ba7306ca14dcf0c071d1ee7d7526e7fefe5f2179626ca97d781d94f7c8207a142d6e00d43d0975abbc67ebd4817360033c04a4e3e23e0ef359b2a
SSDEEP

768:G/sgxcAtCL90oWAktUOqWTRHV/oZkTXyxnPurcrxT/fnF+l7R5sTgbOluT:cxc6CLeoWA5ZWTRHCZkOtzfstRe+OlO

Score

10^/10

njrat us account evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

US ACCOUNT

C2

212.7.208.123:6020

Mutex

93f19dda2412c86ad7520ba4198f39a0

Attributes

reg_key
93f19dda2412c86ad7520ba4198f39a0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

pid process

684 85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1988 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

pid process

896 85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

pid	process
1988	netsh.exe

pid	process
896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AcroRd32Info = "\\AcroRd32Info.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	pid	process	target process
PID 896 set thread context of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

pid	process
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	pid	process
Token: SeDebugPrivilege	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Token: SeDebugPrivilege	684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	pid	process	target process
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 896 wrote to memory of 684	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 684 wrote to memory of 1988	684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 684 wrote to memory of 1988	684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 684 wrote to memory of 1988	684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 684 wrote to memory of 1988	684	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 896 wrote to memory of 1380	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 896 wrote to memory of 1380	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 896 wrote to memory of 1380	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 896 wrote to memory of 1380	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 896 wrote to memory of 888	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe
PID 896 wrote to memory of 888	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe
PID 896 wrote to memory of 888	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe
PID 896 wrote to memory of 888	896	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
"C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
"C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe" "85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\ewylyfckjukn.vbs"
2⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Local\ewylyfckjthho.reg
2⤵
- Adds Run key to start application
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Filesize
56KB

MD5
6ec722039c95fda117a7a8e37057c689

SHA1
924187760a08fe76aca2c83d222009f4310a9736

SHA256
85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101

SHA512
4d3e947a4a7ba7306ca14dcf0c071d1ee7d7526e7fefe5f2179626ca97d781d94f7c8207a142d6e00d43d0975abbc67ebd4817360033c04a4e3e23e0ef359b2a

Download Submit
C:\Users\Admin\AppData\Local\ewylyfckjthho.reg

Filesize
140B

MD5
19e112962b7efeb7eb2ea4734a9b5d3c

SHA1
e637c6adbe73aa70237e1abdb6d81654950d6fea

SHA256
8d6e00c3d7c50ebe6d03e81413910ffd7738f96fdef82f5de88683b5a1e241db

SHA512
6d4ad1bf0db6dc3005d95ac2374aae20b5e5c08cdf703d2b6c6ebbe1f274aaa72843546f27e41554a086ea90f22a153afa1a074f41f1f390ab1fe64b47c98333

Download Submit
C:\Users\Admin\AppData\Local\ewylyfckjukn.vbs

Filesize
447B

MD5
93528f58f8133fceed85a29b5617fe5a

SHA1
cfb69b42acdeaa949cf34a461456e3c445cb0394

SHA256
f639739f74f85fd7d65d519fa5c89197eb49bc665f4d38f1968366d6bec3166e

SHA512
e45d7c5c20042b6a8214ebf8956ad04df5a600717dc3a63d663d9d1a2d77a53962fe0320d570d744edac2ae7c39338cdcecd0ba0f3aa88a68399fb42778bc736

Download Submit
\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Filesize
56KB

MD5
6ec722039c95fda117a7a8e37057c689

SHA1
924187760a08fe76aca2c83d222009f4310a9736

SHA256
85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101

SHA512
4d3e947a4a7ba7306ca14dcf0c071d1ee7d7526e7fefe5f2179626ca97d781d94f7c8207a142d6e00d43d0975abbc67ebd4817360033c04a4e3e23e0ef359b2a

Download Submit
memory/684-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/684-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/684-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/684-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/684-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/684-63-0x0000000000408B0E-mapping.dmp

Download
memory/684-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/684-79-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/684-75-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/684-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-73-0x0000000000000000-mapping.dmp

Download
memory/896-55-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/896-78-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1380-71-0x0000000000000000-mapping.dmp

Download
memory/1988-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads