njrat | 1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64

General

Target

1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe
Size

23KB
MD5

e32a03453d15bac1ca444de6737daf1f
SHA1

f18110d0073607683ddf591b42b14b1413cece72
SHA256

1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64
SHA512

a4afff12153e6c0663fe4b486f8b658cb143175620991b4b66df834b40452cef8ed598bda6aa09c00dc851deee34c77a0bd29640ae5a04f84471dd67b5533e4d
SSDEEP

384:xY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZZRO:GL2s+tRyRpcnu+O

Score

10^/10

njrat 1 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

1

C2

x-devil50099005.ddns.net:5552

Mutex

f38a836a5b74e1e1fd161ce744b606ef

Attributes

reg_key
f38a836a5b74e1e1fd161ce744b606ef
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Google.exe

pid process

4648 Google.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2608 netsh.exe

pid	process
4648	Google.exe

pid	process
2608	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe

Drops startup file 2 IoCs

Processes:

Google.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f38a836a5b74e1e1fd161ce744b606ef.exe	Google.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f38a836a5b74e1e1fd161ce744b606ef.exe	Google.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f38a836a5b74e1e1fd161ce744b606ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.exe\" .."	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f38a836a5b74e1e1fd161ce744b606ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.exe\" .."	Google.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Google.exe

description	pid	process
Token: SeDebugPrivilege	4648	Google.exe
Token: 33	4648	Google.exe
Token: SeIncBasePriorityPrivilege	4648	Google.exe
Token: 33	4648	Google.exe
Token: SeIncBasePriorityPrivilege	4648	Google.exe
Token: 33	4648	Google.exe
Token: SeIncBasePriorityPrivilege	4648	Google.exe
Token: 33	4648	Google.exe
Token: SeIncBasePriorityPrivilege	4648	Google.exe
Token: 33	4648	Google.exe
Token: SeIncBasePriorityPrivilege	4648	Google.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exeGoogle.exe

description	pid	process	target process
PID 4596 wrote to memory of 4648	4596	1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe	Google.exe
PID 4596 wrote to memory of 4648	4596	1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe	Google.exe
PID 4596 wrote to memory of 4648	4596	1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe	Google.exe
PID 4648 wrote to memory of 2608	4648	Google.exe	netsh.exe
PID 4648 wrote to memory of 2608	4648	Google.exe	netsh.exe
PID 4648 wrote to memory of 2608	4648	Google.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe
"C:\Users\Admin\AppData\Local\Temp\1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\Google.exe
"C:\Users\Admin\AppData\Local\Temp\Google.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google.exe" "Google.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Google.exe
Filesize
23KB

MD5
e32a03453d15bac1ca444de6737daf1f

SHA1
f18110d0073607683ddf591b42b14b1413cece72

SHA256
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64

SHA512
a4afff12153e6c0663fe4b486f8b658cb143175620991b4b66df834b40452cef8ed598bda6aa09c00dc851deee34c77a0bd29640ae5a04f84471dd67b5533e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google.exe
Filesize
23KB

MD5
e32a03453d15bac1ca444de6737daf1f

SHA1
f18110d0073607683ddf591b42b14b1413cece72

SHA256
1c6ea57d7887d69e221806107185ba12a33790d676aa5228a1c29b5b611bec64

SHA512
a4afff12153e6c0663fe4b486f8b658cb143175620991b4b66df834b40452cef8ed598bda6aa09c00dc851deee34c77a0bd29640ae5a04f84471dd67b5533e4d

Download Submit
memory/2608-140-0x0000000000000000-mapping.dmp

Download
memory/4596-132-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4596-133-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4596-137-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4648-134-0x0000000000000000-mapping.dmp

Download
memory/4648-138-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4648-139-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads