njrat | 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

General

Target

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
Size

863KB
MD5

c83a8098ded06f15dc4bdbafc09f4ecf
SHA1

3c45d7d4a0be2be37e1624dbb2ffe371ce95d587
SHA256

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f
SHA512

522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6
SSDEEP

24576:TRmJkcoQricOIQxiZY1iaEtmUJ9tiO3BXB:gJZoQrbTFZY1iayJ933lB

Score

10^/10

njrat bot evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bot

C2

drazmatik56.no-ip.org:1604

Mutex

5364b242e8892a314b968229a5ceac99

Attributes

reg_key
5364b242e8892a314b968229a5ceac99
splitter
|'|'|

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\svchost.exe,explorer.exe"	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

856 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

760 netsh.exe

pid	process
856	svchost.exe

pid	process
760	netsh.exe

Loads dropped DLL 4 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

pid	process
752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\svchost.exe"	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe
\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe
\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe
\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exe

description	pid	process	target process
PID 752 set thread context of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 856 set thread context of 1348	856	svchost.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exe

pid process

752 6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
856 svchost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe
Token: 33	1316	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1316	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 1316	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	RegSvcs.exe
PID 752 wrote to memory of 856	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 752 wrote to memory of 856	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 752 wrote to memory of 856	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 752 wrote to memory of 856	752	6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe	svchost.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 856 wrote to memory of 1348	856	svchost.exe	RegSvcs.exe
PID 1316 wrote to memory of 760	1316	RegSvcs.exe	netsh.exe
PID 1316 wrote to memory of 760	1316	RegSvcs.exe	netsh.exe
PID 1316 wrote to memory of 760	1316	RegSvcs.exe	netsh.exe
PID 1316 wrote to memory of 760	1316	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe
"C:\Users\Admin\AppData\Local\Temp\6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "RegSvcs.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:760

C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
\Users\Admin\AppData\Roaming\Windows\svchost.exe
Filesize
863KB

MD5
c83a8098ded06f15dc4bdbafc09f4ecf

SHA1
3c45d7d4a0be2be37e1624dbb2ffe371ce95d587

SHA256
6ee54eeaa01c5288ec49a952974cdcd2e00f54078c7a028b1e4f57a1c8ec398f

SHA512
522add6bdf1f113db3eebc8ff7410decda5d12bb3b3953e39e99fd4d887d1468a169ee90baec75de7a79ff9c5c028d60e0345124a78ce9403311aacdc5466df6

Download Submit
memory/752-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/760-91-0x0000000000000000-mapping.dmp

Download
memory/856-72-0x0000000000000000-mapping.dmp

Download
memory/1316-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-67-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1316-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-61-0x000000000040748E-mapping.dmp

Download
memory/1316-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1316-89-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1316-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1348-82-0x000000000040748E-mapping.dmp

Download
memory/1348-88-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-90-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads