njrat | 85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101

General

Target

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Size

56KB
MD5

6ec722039c95fda117a7a8e37057c689
SHA1

924187760a08fe76aca2c83d222009f4310a9736
SHA256

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101
SHA512

4d3e947a4a7ba7306ca14dcf0c071d1ee7d7526e7fefe5f2179626ca97d781d94f7c8207a142d6e00d43d0975abbc67ebd4817360033c04a4e3e23e0ef359b2a
SSDEEP

768:G/sgxcAtCL90oWAktUOqWTRHV/oZkTXyxnPurcrxT/fnF+l7R5sTgbOluT:cxc6CLeoWA5ZWTRHCZkOtzfstRe+OlO

Score

10^/10

njrat us account evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

US ACCOUNT

C2

212.7.208.123:6020

Mutex

93f19dda2412c86ad7520ba4198f39a0

Attributes

reg_key
93f19dda2412c86ad7520ba4198f39a0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

pid process

380 85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2848 netsh.exe

pid	process
2848	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcroRd32Info = "\\AcroRd32Info.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	pid	process	target process
PID 4584 set thread context of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

pid	process
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	pid	process
Token: SeDebugPrivilege	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Token: SeDebugPrivilege	380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe

description	pid	process	target process
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 4584 wrote to memory of 380	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
PID 380 wrote to memory of 2848	380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 380 wrote to memory of 2848	380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 380 wrote to memory of 2848	380	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	netsh.exe
PID 4584 wrote to memory of 2468	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 4584 wrote to memory of 2468	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 4584 wrote to memory of 2468	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	WScript.exe
PID 4584 wrote to memory of 3148	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe
PID 4584 wrote to memory of 3148	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe
PID 4584 wrote to memory of 3148	4584	85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
"C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
"C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe" "85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\ewylyfckjukn.vbs"
2⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Local\ewylyfckjthho.reg
2⤵
- Adds Run key to start application
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101.exe
Filesize
56KB

MD5
6ec722039c95fda117a7a8e37057c689

SHA1
924187760a08fe76aca2c83d222009f4310a9736

SHA256
85eb70322648b91b6731ae31fefd7307bf1243d5076a0312367461b57d4ea101

SHA512
4d3e947a4a7ba7306ca14dcf0c071d1ee7d7526e7fefe5f2179626ca97d781d94f7c8207a142d6e00d43d0975abbc67ebd4817360033c04a4e3e23e0ef359b2a

Download Submit
C:\Users\Admin\AppData\Local\ewylyfckjthho.reg
Filesize
140B

MD5
19e112962b7efeb7eb2ea4734a9b5d3c

SHA1
e637c6adbe73aa70237e1abdb6d81654950d6fea

SHA256
8d6e00c3d7c50ebe6d03e81413910ffd7738f96fdef82f5de88683b5a1e241db

SHA512
6d4ad1bf0db6dc3005d95ac2374aae20b5e5c08cdf703d2b6c6ebbe1f274aaa72843546f27e41554a086ea90f22a153afa1a074f41f1f390ab1fe64b47c98333

Download Submit
C:\Users\Admin\AppData\Local\ewylyfckjukn.vbs
Filesize
447B

MD5
93528f58f8133fceed85a29b5617fe5a

SHA1
cfb69b42acdeaa949cf34a461456e3c445cb0394

SHA256
f639739f74f85fd7d65d519fa5c89197eb49bc665f4d38f1968366d6bec3166e

SHA512
e45d7c5c20042b6a8214ebf8956ad04df5a600717dc3a63d663d9d1a2d77a53962fe0320d570d744edac2ae7c39338cdcecd0ba0f3aa88a68399fb42778bc736

Download Submit
memory/380-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/380-136-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/380-133-0x0000000000000000-mapping.dmp

Download
memory/380-144-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2468-139-0x0000000000000000-mapping.dmp

Download
memory/2848-137-0x0000000000000000-mapping.dmp

Download
memory/3148-140-0x0000000000000000-mapping.dmp

Download
memory/4584-138-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4584-132-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4584-143-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads