njrat | f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add

General

Target

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
Size

706KB
MD5

7d0221cfad4f0d35c17b7210b005b3ba
SHA1

6785c09aba569fa8c7faa6818d5243fe4e34cb2e
SHA256

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add
SHA512

6b6943150f5580a45065c5ac2902bc41112331f6eca1e5ffbd5f448632375384e2cd0fcb6ce9fe042f1eddde1327e85d83965a170cd84a59bc12d9a6b4c50d9d
SSDEEP

12288:fD9/Y3algourr1tS2Q6bFi84Z5Tdr8Obg5:fh/Y3AgoGSx4yDt

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

sidoa3.no-ip.biz:5552

Mutex

5f2a3c9be5e573301d717ef17ad0d997

Attributes

reg_key
5f2a3c9be5e573301d717ef17ad0d997
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Tempserver.exeserver.exe

pid process

768 Tempserver.exe
1640 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1368 netsh.exe

pid	process
768	Tempserver.exe
1640	server.exe

pid	process
1368	netsh.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f2a3c9be5e573301d717ef17ad0d997.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f2a3c9be5e573301d717ef17ad0d997.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exeTempserver.exe

pid process

1164 f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
768 Tempserver.exe

pid	process
1164	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
768	Tempserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f2a3c9be5e573301d717ef17ad0d997 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5f2a3c9be5e573301d717ef17ad0d997 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

description	pid	process	target process
PID 1484 set thread context of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

pid	process
1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
Token: SeDebugPrivilege	1640	server.exe
Token: 33	1640	server.exe
Token: SeIncBasePriorityPrivilege	1640	server.exe
Token: 33	1640	server.exe
Token: SeIncBasePriorityPrivilege	1640	server.exe
Token: 33	1640	server.exe
Token: SeIncBasePriorityPrivilege	1640	server.exe
Token: 33	1640	server.exe
Token: SeIncBasePriorityPrivilege	1640	server.exe
Token: 33	1640	server.exe
Token: SeIncBasePriorityPrivilege	1640	server.exe
Token: 33	1640	server.exe
Token: SeIncBasePriorityPrivilege	1640	server.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exef4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exeTempserver.exeserver.exe

description	pid	process	target process
PID 1484 wrote to memory of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 1484 wrote to memory of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 1484 wrote to memory of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 1484 wrote to memory of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 1484 wrote to memory of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 1484 wrote to memory of 1164	1484	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 1164 wrote to memory of 768	1164	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 1164 wrote to memory of 768	1164	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 1164 wrote to memory of 768	1164	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 1164 wrote to memory of 768	1164	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 768 wrote to memory of 1640	768	Tempserver.exe	server.exe
PID 768 wrote to memory of 1640	768	Tempserver.exe	server.exe
PID 768 wrote to memory of 1640	768	Tempserver.exe	server.exe
PID 768 wrote to memory of 1640	768	Tempserver.exe	server.exe
PID 1640 wrote to memory of 1368	1640	server.exe	netsh.exe
PID 1640 wrote to memory of 1368	1640	server.exe	netsh.exe
PID 1640 wrote to memory of 1368	1640	server.exe	netsh.exe
PID 1640 wrote to memory of 1368	1640	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
"C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
\Users\Admin\AppData\Local\Tempserver.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
memory/768-66-0x0000000000000000-mapping.dmp

Download
memory/768-79-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/768-73-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/768-71-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/1164-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-59-0x000000000040B86E-mapping.dmp

Download
memory/1164-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1368-81-0x0000000000000000-mapping.dmp

Download
memory/1484-55-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1484-72-0x0000000004CE5000-0x0000000004CF6000-memory.dmp

Filesize
68KB

Download
memory/1484-57-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1484-56-0x0000000000280000-0x000000000029E000-memory.dmp

Filesize
120KB

Download
memory/1484-54-0x0000000001030000-0x00000000010E8000-memory.dmp

Filesize
736KB

Download
memory/1484-70-0x0000000004CE5000-0x0000000004CF6000-memory.dmp

Filesize
68KB

Download
memory/1640-75-0x0000000000000000-mapping.dmp

Download
memory/1640-80-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-82-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads