njrat | 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

General

Target

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Size

319KB
MD5

d974e8a7e94fae3bef8b9a663057ba05
SHA1

02457284d0a0a05fc84e59fe6f34f4ee5f324df8
SHA256

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a
SHA512

a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd
SSDEEP

3072:XTn64mgLXEg36vdXheha1G+VedMdGW53aKzfBrKGdrsx7HD:Dn4gIR1XhYa11VedMdGYKGRsZ

Score

10^/10

njrat ﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲

C2

aaddbbkk.hopto.org:1177

Mutex

85d96ae9b74c6f98a30eae5caffd31d4

Attributes

reg_key
85d96ae9b74c6f98a30eae5caffd31d4
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

xwtpw32.exexwtpw32.exe

pid process

3048 xwtpw32.exe
1188 xwtpw32.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3584 netsh.exe

pid	process
3048	xwtpw32.exe
1188	xwtpw32.exe

pid	process
3584	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xwtpw32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85d96ae9b74c6f98a30eae5caffd31d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xwtpw32.exe\" .."	xwtpw32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\85d96ae9b74c6f98a30eae5caffd31d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xwtpw32.exe\" .."	xwtpw32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exe

description	pid	process	target process
PID 4176 set thread context of 768	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 3048 set thread context of 1188	3048	xwtpw32.exe	xwtpw32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exe

pid	process
4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
3048	xwtpw32.exe
3048	xwtpw32.exe
3048	xwtpw32.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exexwtpw32.exe

description	pid	process
Token: SeDebugPrivilege	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: 33	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: SeIncBasePriorityPrivilege	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: SeDebugPrivilege	3048	xwtpw32.exe
Token: 33	3048	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	3048	xwtpw32.exe
Token: 33	3048	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	3048	xwtpw32.exe
Token: SeDebugPrivilege	1188	xwtpw32.exe
Token: 33	1188	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	1188	xwtpw32.exe
Token: 33	1188	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	1188	xwtpw32.exe
Token: 33	1188	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	1188	xwtpw32.exe
Token: 33	1188	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	1188	xwtpw32.exe
Token: 33	1188	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	1188	xwtpw32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exexwtpw32.exe

description	pid	process	target process
PID 4176 wrote to memory of 768	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 4176 wrote to memory of 768	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 4176 wrote to memory of 768	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 4176 wrote to memory of 768	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 4176 wrote to memory of 768	4176	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 768 wrote to memory of 3048	768	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 768 wrote to memory of 3048	768	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 768 wrote to memory of 3048	768	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 3048 wrote to memory of 1188	3048	xwtpw32.exe	xwtpw32.exe
PID 3048 wrote to memory of 1188	3048	xwtpw32.exe	xwtpw32.exe
PID 3048 wrote to memory of 1188	3048	xwtpw32.exe	xwtpw32.exe
PID 3048 wrote to memory of 1188	3048	xwtpw32.exe	xwtpw32.exe
PID 3048 wrote to memory of 1188	3048	xwtpw32.exe	xwtpw32.exe
PID 1188 wrote to memory of 3584	1188	xwtpw32.exe	netsh.exe
PID 1188 wrote to memory of 3584	1188	xwtpw32.exe	netsh.exe
PID 1188 wrote to memory of 3584	1188	xwtpw32.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
"C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
"C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe" "xwtpw32.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe.log
Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
memory/768-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/768-137-0x0000000000000000-mapping.dmp

Download
memory/1188-143-0x0000000000000000-mapping.dmp

Download
memory/3048-139-0x0000000000000000-mapping.dmp

Download
memory/3584-146-0x0000000000000000-mapping.dmp

Download
memory/4176-132-0x0000000000E90000-0x0000000000EE6000-memory.dmp

Filesize
344KB

Download
memory/4176-136-0x0000000007E10000-0x0000000007EAC000-memory.dmp

Filesize
624KB

Download
memory/4176-135-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/4176-134-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/4176-133-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads