njrat | 8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

Analysis

max time kernel
9s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
Size

912KB
MD5

484aa69de292970171f21d3c75c1c407
SHA1

258487b4b3c20e9584b44b87ce462d4bc4abbd23
SHA256

8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1
SHA512

aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229
SSDEEP

12288:LrgThZtleF5Xhyhz/5c1cQe/QdxNf8ZWw9CtDhm6+sWFsScWfONIKG1:+HLPhV9/WLvDhmpsOcVNI5

Score

10^/10

njrat hacked bye charssi persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed bye Charssi

magsi.no-ip.biz:100

Mutex

8515eb34d8f9de5af815466e9715b3e5

Attributes

reg_key
8515eb34d8f9de5af815466e9715b3e5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exe

pid process

3772 winlogon.exe
3196 winlogon.exe
216 winlogon.exe

pid	process
3772	winlogon.exe
3196	winlogon.exe
216	winlogon.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winlogon.exe

description pid process target process

PID 3772 set thread context of 216 3772 winlogon.exe winlogon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

winlogon.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe

description	pid	process	target process
PID 3772 set thread context of 216	3772	winlogon.exe	winlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

NTFS ADS 5 IoCs

Processes:

cmd.exe8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.execmd.exewinlogon.exewinlogon.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe\:ZONE.identifier:$DATA	winlogon.exe
File created	C:\Users\Admin\AppData\Roaming\Trojan.exe\:ZONE.identifier:$DATA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exewinlogon.exe

pid	process
3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
3772	winlogon.exe
3772	winlogon.exe
3772	winlogon.exe
3772	winlogon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
Token: SeDebugPrivilege	3772	winlogon.exe
Token: SeDebugPrivilege	3772	winlogon.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exewinlogon.exe

description	pid	process	target process
PID 3488 wrote to memory of 2072	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe	cmd.exe
PID 3488 wrote to memory of 2072	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe	cmd.exe
PID 3488 wrote to memory of 2072	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe	cmd.exe
PID 3488 wrote to memory of 3772	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe	winlogon.exe
PID 3488 wrote to memory of 3772	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe	winlogon.exe
PID 3488 wrote to memory of 3772	3488	8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe	winlogon.exe
PID 3772 wrote to memory of 3092	3772	winlogon.exe	cmd.exe
PID 3772 wrote to memory of 3092	3772	winlogon.exe	cmd.exe
PID 3772 wrote to memory of 3092	3772	winlogon.exe	cmd.exe
PID 3772 wrote to memory of 3196	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 3196	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 3196	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe
PID 3772 wrote to memory of 216	3772	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe
"C:\Users\Admin\AppData\Local\Temp\8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:2072

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
3⤵
- NTFS ADS
PID:3092

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
3⤵
- Executes dropped EXE
PID:3196

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
PID:216

C:\Users\Admin\AppData\Roaming\Trojan.exe
"C:\Users\Admin\AppData\Roaming\Trojan.exe"
4⤵
PID:4144

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 216 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 216 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
3⤵
PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1.exe

Filesize
912KB

MD5
484aa69de292970171f21d3c75c1c407

SHA1
258487b4b3c20e9584b44b87ce462d4bc4abbd23

SHA256
8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

SHA512
aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
320KB

MD5
4237ad920f3c78ee3c038cdefe1a0689

SHA1
80d0e6e43bf142aebfb466add08ee80d2947982c

SHA256
9bafa13d38bc85795c886dc1fd54c743f74a508c116f4d83cf217a784f28c891

SHA512
5cd4df0d8d3dd1f9e379fc774670ff615d920e50f3c3f260b6ce70226339631f80c04e3d9fcf97ec410f8de9a650694d4c6a826a7da981d9e7b8e168bebe33bf

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
128KB

MD5
cabef0d73ccb634f4d9ad39042869593

SHA1
750a90e49fa65e0ea9a378f26f1957b0f2dcc4c7

SHA256
a38a4ae985d58f0a94790422a42ffcfad1df77763bc2b190b05d3342a8948999

SHA512
690d1411f2e74fc7dba847def3b7e9dbc7f92ed1c4148851e3d31df578173ab267b711a943c36b76009522780d1509a7ffd15704f550fe54268424b2aeb9bb09

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
912KB

MD5
484aa69de292970171f21d3c75c1c407

SHA1
258487b4b3c20e9584b44b87ce462d4bc4abbd23

SHA256
8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

SHA512
aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
912KB

MD5
484aa69de292970171f21d3c75c1c407

SHA1
258487b4b3c20e9584b44b87ce462d4bc4abbd23

SHA256
8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

SHA512
aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
912KB

MD5
484aa69de292970171f21d3c75c1c407

SHA1
258487b4b3c20e9584b44b87ce462d4bc4abbd23

SHA256
8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

SHA512
aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
912KB

MD5
484aa69de292970171f21d3c75c1c407

SHA1
258487b4b3c20e9584b44b87ce462d4bc4abbd23

SHA256
8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

SHA512
aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
912KB

MD5
484aa69de292970171f21d3c75c1c407

SHA1
258487b4b3c20e9584b44b87ce462d4bc4abbd23

SHA256
8d820deacf65732d83ddaf92027622845742ef5589ebbd7f919ddb017d029bd1

SHA512
aefe82c951b0c1c9add2d1bd917806b3eca151e7fa6f322875833b6169786133e442c8697b1bdf99642983dba23ed5e58abf49e9add61070e915b3b5e0852229

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
640KB

MD5
b9247e0a44de5d7b7bb366f4fda5ac15

SHA1
cb1879d8b8279eca36b88bdaaac9f54a574d70c8

SHA256
2ab9923bdfb4693383838e6aed3bb84379ccc6e9f88556186c09b03fbf40e68a

SHA512
f03712f853f2b159c8e3506b176ec83e38f1553a9a67f3a64c44da082a763b5aa4fba48f5b2112fb1065d2ff60cf7cccab4a2fb31af5669f301becc0935afd94

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
897KB

MD5
38e9620b9624690fbab1a8d97c25d307

SHA1
285f6ed69244efa9a8530df0fd4af993f1fb2ca1

SHA256
0f1a253374155cbc2a166c32f35a0d334c4faef9ef939ce1004f08997505b40e

SHA512
b04c7cb8524e72e3d1020ffb8e310e2232b9635ab9486415ac70e74aa50ce1550e771fe6391ee9c9b2d8d2ea2e4581eb353fa7da0111a1aabcf8d358381039e1

Download Submit
memory/216-143-0x0000000000000000-mapping.dmp

Download
memory/216-144-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/216-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/216-146-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/332-152-0x0000000000000000-mapping.dmp

Download
memory/2072-133-0x0000000000000000-mapping.dmp

Download
memory/3092-140-0x0000000000000000-mapping.dmp

Download
memory/3488-132-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/3488-138-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/3772-135-0x0000000000000000-mapping.dmp

Download
memory/3772-139-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4144-149-0x0000000000000000-mapping.dmp

Download