njrat | f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505

General

Target

f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
Size

57KB
MD5

267d180695106d81debe52f6f20ad261
SHA1

151171d9d720d166719f9bb1b95b18007127b946
SHA256

f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505
SHA512

09b4f8c0b8be2eedfa7ebe5f03dd27851778de4d7f161462eb357632a7e37e19adbf44761227a086b80c1455e2b54cfeb299ef9c27155f42f8c289f1dbe3d51c
SSDEEP

1536:Ig+dL1sfm++vZkeQzpKbzuqtGVibs6EFwz96:Ig+dLOe+O/2cMaz

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

5649c39203f1efe3450f25e6b18b84f1

Attributes

reg_key
5649c39203f1efe3450f25e6b18b84f1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

3604 server.exe
3560 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4144 netsh.exe

pid	process
3604	server.exe
3560	server.exe

pid	process
4144	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5649c39203f1efe3450f25e6b18b84f1 = "\"C:\\Windows\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5649c39203f1efe3450f25e6b18b84f1 = "\"C:\\Windows\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exeserver.exe

description	pid	process	target process
PID 3444 set thread context of 3332	3444	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
PID 3604 set thread context of 3560	3604	server.exe	server.exe

Drops file in Windows directory 1 IoCs

Processes:

f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe

description ioc process

File created C:\Windows\server.exe f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\server.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe
Token: 33	3560	server.exe
Token: SeIncBasePriorityPrivilege	3560	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exef1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exeserver.exeserver.exe

description	pid	process	target process
PID 3444 wrote to memory of 3332	3444	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
PID 3444 wrote to memory of 3332	3444	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
PID 3444 wrote to memory of 3332	3444	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
PID 3444 wrote to memory of 3332	3444	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
PID 3444 wrote to memory of 3332	3444	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
PID 3332 wrote to memory of 3604	3332	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	server.exe
PID 3332 wrote to memory of 3604	3332	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	server.exe
PID 3332 wrote to memory of 3604	3332	f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe	server.exe
PID 3604 wrote to memory of 3560	3604	server.exe	server.exe
PID 3604 wrote to memory of 3560	3604	server.exe	server.exe
PID 3604 wrote to memory of 3560	3604	server.exe	server.exe
PID 3604 wrote to memory of 3560	3604	server.exe	server.exe
PID 3604 wrote to memory of 3560	3604	server.exe	server.exe
PID 3560 wrote to memory of 4144	3560	server.exe	netsh.exe
PID 3560 wrote to memory of 4144	3560	server.exe	netsh.exe
PID 3560 wrote to memory of 4144	3560	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
"C:\Users\Admin\AppData\Local\Temp\f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
C:\Users\Admin\AppData\Local\Temp\f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\server.exe
"C:\Windows\server.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\server.exe
C:\Windows\server.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505.exe.log

Filesize
223B

MD5
cde6529abeea500fb852f29ba0da6115

SHA1
45f2f48492417ae6a0eade8aaa808d3d1d760743

SHA256
d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5

SHA512
c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
223B

MD5
cde6529abeea500fb852f29ba0da6115

SHA1
45f2f48492417ae6a0eade8aaa808d3d1d760743

SHA256
d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5

SHA512
c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234

Download Submit
C:\Windows\server.exe

Filesize
57KB

MD5
267d180695106d81debe52f6f20ad261

SHA1
151171d9d720d166719f9bb1b95b18007127b946

SHA256
f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505

SHA512
09b4f8c0b8be2eedfa7ebe5f03dd27851778de4d7f161462eb357632a7e37e19adbf44761227a086b80c1455e2b54cfeb299ef9c27155f42f8c289f1dbe3d51c

Download Submit
C:\Windows\server.exe

Filesize
57KB

MD5
267d180695106d81debe52f6f20ad261

SHA1
151171d9d720d166719f9bb1b95b18007127b946

SHA256
f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505

SHA512
09b4f8c0b8be2eedfa7ebe5f03dd27851778de4d7f161462eb357632a7e37e19adbf44761227a086b80c1455e2b54cfeb299ef9c27155f42f8c289f1dbe3d51c

Download Submit
C:\Windows\server.exe

Filesize
57KB

MD5
267d180695106d81debe52f6f20ad261

SHA1
151171d9d720d166719f9bb1b95b18007127b946

SHA256
f1c45dcab791f8e0ed057d4f50a564e4f81313151ab0320fbe3bc6c5bac54505

SHA512
09b4f8c0b8be2eedfa7ebe5f03dd27851778de4d7f161462eb357632a7e37e19adbf44761227a086b80c1455e2b54cfeb299ef9c27155f42f8c289f1dbe3d51c

Download Submit
memory/3332-142-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3332-138-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3332-133-0x0000000000000000-mapping.dmp

Download
memory/3332-137-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3332-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3444-136-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3444-132-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3560-143-0x0000000000000000-mapping.dmp

Download
memory/3560-149-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3560-150-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3604-146-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3604-139-0x0000000000000000-mapping.dmp

Download
memory/3604-148-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4144-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads