njrat | 67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09

General

Target

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
Size

638KB
MD5

d9f6bff1ee2812647e534b793b8a5b3e
SHA1

a6215720497667a69cc9a2f58eb826131ca05068
SHA256

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09
SHA512

cbe3c7ba9db6ad1509a4bb62b8cb9234874943ba23fbdb0d220c2c84b6ed95d0748c7216aadab9036a2b2dfe3d6b57d8648423cff74ed25211dbfd881001cd37
SSDEEP

12288:psTri9uod71pwGuB7DNnu5I1jhxgmZw1lb4K1ebqdpCAq/r1zhrWFumg2:psTrikod71pwGuB7DNnui1jbx051ebqm

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

mehdimoro.ddns.net:5555

Mutex

4aeed655f342a0295abb3112731f878a

Attributes

reg_key
4aeed655f342a0295abb3112731f878a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1052 svchost.exe

pid	process
1052	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYQwA0zYJ87p8B = "C:\\Windows\\system32\\Server.exe"	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYQwA0zYJ87p8B = "C:\\Windows\\system32\\Server.exe"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Server.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
File opened for modification	C:\Windows\SysWOW64\Server.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

description	pid	process	target process
PID 428 set thread context of 1828	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

Drops file in Windows directory 1 IoCs

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

description ioc process

File created C:\Windows\svchost.exe 67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
Token: SeDebugPrivilege	1052	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exesvchost.exe

description	pid	process	target process
PID 428 wrote to memory of 1828	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
PID 428 wrote to memory of 1828	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
PID 428 wrote to memory of 1828	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
PID 428 wrote to memory of 1828	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
PID 428 wrote to memory of 1828	428	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
PID 1828 wrote to memory of 1052	1828	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	svchost.exe
PID 1828 wrote to memory of 1052	1828	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	svchost.exe
PID 1828 wrote to memory of 1052	1828	67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe	svchost.exe
PID 1052 wrote to memory of 2308	1052	svchost.exe	svchost.exe
PID 1052 wrote to memory of 2308	1052	svchost.exe	svchost.exe
PID 1052 wrote to memory of 2308	1052	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
"C:\Users\Admin\AppData\Local\Temp\67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
C:\Users\Admin\AppData\Local\Temp\67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\svchost.exe
C:\Windows\svchost.exe
4⤵
PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Windows\svchost.exe

Filesize
638KB

MD5
d9f6bff1ee2812647e534b793b8a5b3e

SHA1
a6215720497667a69cc9a2f58eb826131ca05068

SHA256
67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09

SHA512
cbe3c7ba9db6ad1509a4bb62b8cb9234874943ba23fbdb0d220c2c84b6ed95d0748c7216aadab9036a2b2dfe3d6b57d8648423cff74ed25211dbfd881001cd37

Download Submit
C:\Windows\svchost.exe

Filesize
638KB

MD5
d9f6bff1ee2812647e534b793b8a5b3e

SHA1
a6215720497667a69cc9a2f58eb826131ca05068

SHA256
67eda2e2df252d8e8da71cbc0aca21e42b082d54d662b934775e478ec378bb09

SHA512
cbe3c7ba9db6ad1509a4bb62b8cb9234874943ba23fbdb0d220c2c84b6ed95d0748c7216aadab9036a2b2dfe3d6b57d8648423cff74ed25211dbfd881001cd37

Download Submit
memory/428-132-0x0000000000B60000-0x0000000000C06000-memory.dmp

Filesize
664KB

Download
memory/428-133-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/428-134-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/428-135-0x0000000005C40000-0x0000000005C4A000-memory.dmp

Filesize
40KB

Download
memory/428-136-0x0000000008190000-0x000000000822C000-memory.dmp

Filesize
624KB

Download
memory/1052-139-0x0000000000000000-mapping.dmp

Download
memory/1828-137-0x0000000000000000-mapping.dmp

Download
memory/1828-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2308-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads