njrat | 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe

Analysis

max time kernel
189s
max time network
120s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
Size

1.9MB
MD5

456952d17c871d449afafcce12d7baa1
SHA1

0518c5d91c0a8873d5dd81f9d2866168eef07745
SHA256

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe
SHA512

d45bcc6b0c7dbcef7aa40d600006814fd964ef766a1cfd577f9c336f45cd60f4b102059dafecc74822258998f00fb7201cbb9a648027d01826ff154159af8d06
SSDEEP

49152:b1dlZoFnxOIjuDBhqcTVSSrelkkSeWavYzlM0Rdsh5XI:b1dl2FnxOIjuDBhqcxPeTSe7n0RuPI

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

Server.exeTrojan.exeprocesshacker-2.33-setup.exeprocesshacker-2.33-setup.tmp

pid process

580 Server.exe
1176 Trojan.exe
980 processhacker-2.33-setup.exe
1804 processhacker-2.33-setup.tmp
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

700 netsh.exe

pid	process
580	Server.exe
1176	Trojan.exe
980	processhacker-2.33-setup.exe
1804	processhacker-2.33-setup.tmp

pid	process
700	netsh.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe	Trojan.exe

Loads dropped DLL 6 IoCs

Processes:

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exeServer.exeprocesshacker-2.33-setup.exeprocesshacker-2.33-setup.tmp

pid	process
1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
580	Server.exe
1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
980	processhacker-2.33-setup.exe
1804	processhacker-2.33-setup.tmp
1804	processhacker-2.33-setup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Trojan.exe

pid	process
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe
1176	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Trojan.exe

description pid process

Token: SeDebugPrivilege 1176 Trojan.exe

description	pid	process
Token: SeDebugPrivilege	1176	Trojan.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exeServer.exeTrojan.exeprocesshacker-2.33-setup.exe

description	pid	process	target process
PID 1972 wrote to memory of 580	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 1972 wrote to memory of 580	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 1972 wrote to memory of 580	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 1972 wrote to memory of 580	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 580 wrote to memory of 1176	580	Server.exe	Trojan.exe
PID 580 wrote to memory of 1176	580	Server.exe	Trojan.exe
PID 580 wrote to memory of 1176	580	Server.exe	Trojan.exe
PID 580 wrote to memory of 1176	580	Server.exe	Trojan.exe
PID 1176 wrote to memory of 700	1176	Trojan.exe	netsh.exe
PID 1176 wrote to memory of 700	1176	Trojan.exe	netsh.exe
PID 1176 wrote to memory of 700	1176	Trojan.exe	netsh.exe
PID 1176 wrote to memory of 700	1176	Trojan.exe	netsh.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 1972 wrote to memory of 980	1972	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 980 wrote to memory of 1804	980	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp

C:\Users\Admin\AppData\Local\Temp\9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
"C:\Users\Admin\AppData\Local\Temp\9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Extracted\Server.exe
"C:\Extracted\Server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Roaming\Trojan.exe
"C:\Users\Admin\AppData\Roaming\Trojan.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:700

C:\Extracted\processhacker-2.33-setup.exe
"C:\Extracted\processhacker-2.33-setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\is-D7CB2.tmp\processhacker-2.33-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D7CB2.tmp\processhacker-2.33-setup.tmp" /SL5="$80118,1547810,150016,C:\Extracted\processhacker-2.33-setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Server.exe

Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
C:\Extracted\Server.exe

Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
C:\Extracted\processhacker-2.33-setup.exe

Filesize
1.8MB

MD5
f7c77350aef13278213e70b5fd6fb017

SHA1
f328286bdf529e3905e8098b8d7558f974d9293c

SHA256
cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4

SHA512
444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d

Download Submit
C:\Extracted\processhacker-2.33-setup.exe

Filesize
1.8MB

MD5
f7c77350aef13278213e70b5fd6fb017

SHA1
f328286bdf529e3905e8098b8d7558f974d9293c

SHA256
cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4

SHA512
444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D7CB2.tmp\processhacker-2.33-setup.tmp

Filesize
781KB

MD5
e1d5cd3916914641ec3a04e85dfaa1f7

SHA1
5e3298ce1c2ce613fe51b502d997962033d96751

SHA256
799db3e8e21ed51c137bef6eb0c0dee9838aac6d35bb32cc2056901f5dd38f73

SHA512
15feadf3eedb1175b707e7c4129c503e020e33d369fb8e642d91fae3bdcb08400444660ed420f06bad12e8d9484d9edd05138f8b3b7d1166a0cb3da56a576894

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
\Extracted\Server.exe

Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
\Extracted\processhacker-2.33-setup.exe

Filesize
1.8MB

MD5
f7c77350aef13278213e70b5fd6fb017

SHA1
f328286bdf529e3905e8098b8d7558f974d9293c

SHA256
cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4

SHA512
444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d

Download Submit
\Users\Admin\AppData\Local\Temp\is-D7CB2.tmp\processhacker-2.33-setup.tmp

Filesize
781KB

MD5
e1d5cd3916914641ec3a04e85dfaa1f7

SHA1
5e3298ce1c2ce613fe51b502d997962033d96751

SHA256
799db3e8e21ed51c137bef6eb0c0dee9838aac6d35bb32cc2056901f5dd38f73

SHA512
15feadf3eedb1175b707e7c4129c503e020e33d369fb8e642d91fae3bdcb08400444660ed420f06bad12e8d9484d9edd05138f8b3b7d1166a0cb3da56a576894

Download Submit
\Users\Admin\AppData\Local\Temp\is-LHP7P.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LHP7P.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
memory/580-61-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/580-60-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/580-67-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/580-56-0x0000000000000000-mapping.dmp

Download
memory/700-69-0x0000000000000000-mapping.dmp

Download
memory/980-71-0x0000000000000000-mapping.dmp

Download
memory/980-86-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/980-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/980-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1176-79-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-63-0x0000000000000000-mapping.dmp

Download
memory/1176-68-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-81-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download