njrat | 8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea

General

Target

8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe
Size

60KB
MD5

27ea2eade45d9fcd4801e600f2fdba39
SHA1

8b68041329c29bf145097a5726f6f9809992722b
SHA256

8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea
SHA512

93b5223c5812979367905ed1d7eb06b358e1ab04fe6b8a5525c9ce02cb8c184abfe6c69da3f73a1bbf4095f47bea3fe844371e0429ccd6366cd75f153f19335f
SSDEEP

1536:EOIkevE/Lk4alliH7hdKPg6KhG29jLhOlG:+kebvL0g41A29wl

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

6e6d18dc41426799a2afcd0247b20dc4

Attributes

reg_key
6e6d18dc41426799a2afcd0247b20dc4
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

LocalqLjgPcsHkL.exeCHROME.exe

pid process

892 LocalqLjgPcsHkL.exe
1656 CHROME.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

760 netsh.exe

pid	process
892	LocalqLjgPcsHkL.exe
1656	CHROME.exe

pid	process
760	netsh.exe

Drops startup file 2 IoCs

Processes:

CHROME.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e6d18dc41426799a2afcd0247b20dc4.exe	CHROME.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e6d18dc41426799a2afcd0247b20dc4.exe	CHROME.exe

Loads dropped DLL 1 IoCs

Processes:

LocalqLjgPcsHkL.exe

pid process

892 LocalqLjgPcsHkL.exe

pid	process
892	LocalqLjgPcsHkL.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CHROME.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\6e6d18dc41426799a2afcd0247b20dc4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHROME.exe\" .."	CHROME.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6e6d18dc41426799a2afcd0247b20dc4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHROME.exe\" .."	CHROME.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

CHROME.exe

pid	process
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe
1656	CHROME.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CHROME.exe

description pid process

Token: SeDebugPrivilege 1656 CHROME.exe

description	pid	process
Token: SeDebugPrivilege	1656	CHROME.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exeLocalqLjgPcsHkL.exeCHROME.exe

description	pid	process	target process
PID 1700 wrote to memory of 892	1700	8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe	LocalqLjgPcsHkL.exe
PID 1700 wrote to memory of 892	1700	8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe	LocalqLjgPcsHkL.exe
PID 1700 wrote to memory of 892	1700	8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe	LocalqLjgPcsHkL.exe
PID 1700 wrote to memory of 892	1700	8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe	LocalqLjgPcsHkL.exe
PID 892 wrote to memory of 1656	892	LocalqLjgPcsHkL.exe	CHROME.exe
PID 892 wrote to memory of 1656	892	LocalqLjgPcsHkL.exe	CHROME.exe
PID 892 wrote to memory of 1656	892	LocalqLjgPcsHkL.exe	CHROME.exe
PID 892 wrote to memory of 1656	892	LocalqLjgPcsHkL.exe	CHROME.exe
PID 1656 wrote to memory of 760	1656	CHROME.exe	netsh.exe
PID 1656 wrote to memory of 760	1656	CHROME.exe	netsh.exe
PID 1656 wrote to memory of 760	1656	CHROME.exe	netsh.exe
PID 1656 wrote to memory of 760	1656	CHROME.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe
"C:\Users\Admin\AppData\Local\Temp\8d1dcdebddc85388dca9b70406891e7a1b2b1259c7e4622d7a58c2faca1efaea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\LocalqLjgPcsHkL.exe
"C:\Users\Admin\AppData\LocalqLjgPcsHkL.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\CHROME.exe
"C:\Users\Admin\AppData\Local\Temp\CHROME.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CHROME.exe" "CHROME.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CHROME.exe
Filesize
29KB

MD5
1a34a7a0ebaae51a0b1ddb152bc7c6b5

SHA1
2520e5e2f37e397760f7564b8180ab04b160d1a8

SHA256
567b96467de0a8c2ee97d5d9c15c7a56ca789958c3ca998b86d51afd77631cf6

SHA512
6bcb8829a43fb61588882ebd874aac569caf594006e2a82ac1ed577e37c1d2c4c9b40c538dfbeaa5b7730b0b408d40594ec4fa7bcc957a4cf1590204616868fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.exe
Filesize
29KB

MD5
1a34a7a0ebaae51a0b1ddb152bc7c6b5

SHA1
2520e5e2f37e397760f7564b8180ab04b160d1a8

SHA256
567b96467de0a8c2ee97d5d9c15c7a56ca789958c3ca998b86d51afd77631cf6

SHA512
6bcb8829a43fb61588882ebd874aac569caf594006e2a82ac1ed577e37c1d2c4c9b40c538dfbeaa5b7730b0b408d40594ec4fa7bcc957a4cf1590204616868fc

Download Submit
C:\Users\Admin\AppData\LocalqLjgPcsHkL.exe
Filesize
29KB

MD5
1a34a7a0ebaae51a0b1ddb152bc7c6b5

SHA1
2520e5e2f37e397760f7564b8180ab04b160d1a8

SHA256
567b96467de0a8c2ee97d5d9c15c7a56ca789958c3ca998b86d51afd77631cf6

SHA512
6bcb8829a43fb61588882ebd874aac569caf594006e2a82ac1ed577e37c1d2c4c9b40c538dfbeaa5b7730b0b408d40594ec4fa7bcc957a4cf1590204616868fc

Download Submit
C:\Users\Admin\AppData\LocalqLjgPcsHkL.exe
Filesize
29KB

MD5
1a34a7a0ebaae51a0b1ddb152bc7c6b5

SHA1
2520e5e2f37e397760f7564b8180ab04b160d1a8

SHA256
567b96467de0a8c2ee97d5d9c15c7a56ca789958c3ca998b86d51afd77631cf6

SHA512
6bcb8829a43fb61588882ebd874aac569caf594006e2a82ac1ed577e37c1d2c4c9b40c538dfbeaa5b7730b0b408d40594ec4fa7bcc957a4cf1590204616868fc

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME.exe
Filesize
29KB

MD5
1a34a7a0ebaae51a0b1ddb152bc7c6b5

SHA1
2520e5e2f37e397760f7564b8180ab04b160d1a8

SHA256
567b96467de0a8c2ee97d5d9c15c7a56ca789958c3ca998b86d51afd77631cf6

SHA512
6bcb8829a43fb61588882ebd874aac569caf594006e2a82ac1ed577e37c1d2c4c9b40c538dfbeaa5b7730b0b408d40594ec4fa7bcc957a4cf1590204616868fc

Download Submit
memory/760-69-0x0000000000000000-mapping.dmp

Download
memory/892-60-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/892-61-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-67-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-63-0x0000000000000000-mapping.dmp

Download
memory/1656-68-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-71-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-59-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/1700-54-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

Filesize
10.1MB

Download
memory/1700-55-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads