njrat | 0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe
Size

721KB
MD5

7961af50b6a6802d418e02717ec1744f
SHA1

bea5538b4336b8443caadd0b4ebc405850982fe8
SHA256

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7
SHA512

d859792d648e463f77f51ea1375320adff97db4dca0c2602442329fb970651d1d8f8214e8312a0c5cb635ec62f2d59f167036d4d5dd39be64ddad977681e444c
SSDEEP

12288:IQ/Z6mhgZIuDBo9dn4GgLnK2hZPSggmwQLvu/K9HLPISgd/YUQYqOKopVG60r:n/ZHhzgBCd4T1LOm92YpiZqhoM

Score

10^/10

njrat طلياني ذو الفقار evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

طلياني ذو الفقار

murtadha1233.ddns.net:3546

Mutex

bbbe3c05a425e3d90a440ccd640f4d4a

Attributes

reg_key
bbbe3c05a425e3d90a440ccd640f4d4a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

7.exeDotBundle.exedho.exe

pid process

1980 7.exe
1664 DotBundle.exe
288 dho.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

536 netsh.exe

pid	process
1980	7.exe
1664	DotBundle.exe
288	dho.exe

pid	process
536	netsh.exe

Loads dropped DLL 3 IoCs

Processes:

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe7.exe

pid	process
1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe
1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe
1980	7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dho.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\bbbe3c05a425e3d90a440ccd640f4d4a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dho.exe\" .."	dho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bbbe3c05a425e3d90a440ccd640f4d4a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dho.exe\" .."	dho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DotBundle.exe

pid	process
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe
1664	DotBundle.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

DotBundle.exedho.exe

description	pid	process
Token: SeDebugPrivilege	1664	DotBundle.exe
Token: SeDebugPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe
Token: 33	288	dho.exe
Token: SeIncBasePriorityPrivilege	288	dho.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe7.exedho.exe

description	pid	process	target process
PID 1752 wrote to memory of 1980	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 1752 wrote to memory of 1980	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 1752 wrote to memory of 1980	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 1752 wrote to memory of 1980	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 1752 wrote to memory of 1664	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 1752 wrote to memory of 1664	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 1752 wrote to memory of 1664	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 1752 wrote to memory of 1664	1752	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 1980 wrote to memory of 288	1980	7.exe	dho.exe
PID 1980 wrote to memory of 288	1980	7.exe	dho.exe
PID 1980 wrote to memory of 288	1980	7.exe	dho.exe
PID 1980 wrote to memory of 288	1980	7.exe	dho.exe
PID 288 wrote to memory of 536	288	dho.exe	netsh.exe
PID 288 wrote to memory of 536	288	dho.exe	netsh.exe
PID 288 wrote to memory of 536	288	dho.exe	netsh.exe
PID 288 wrote to memory of 536	288	dho.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe
"C:\Users\Admin\AppData\Local\Temp\0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\dho.exe
"C:\Users\Admin\AppData\Local\Temp\dho.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dho.exe" "dho.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:536

C:\Users\Admin\AppData\Local\Temp\DotBundle.exe
"C:\Users\Admin\AppData\Local\Temp\DotBundle.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7.exe
Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe
Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotBundle.exe
Filesize
484KB

MD5
1672e5c0687f5f7ec6de4f7d9b470408

SHA1
2c358e7a031ecefe505292682660db54e9f35ed5

SHA256
b607812d64530b0360a2e518217ad23eb3650f4ccfd172dc9cdc0f1e0ab36704

SHA512
ce0c7864019a31f675b657f1941738398d91132244a0774c2a6e21dad22f69bd30e29c04b918387d1e34f4c6699aced5cc21124cd90f4edf74398d90233157f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotBundle.exe
Filesize
484KB

MD5
1672e5c0687f5f7ec6de4f7d9b470408

SHA1
2c358e7a031ecefe505292682660db54e9f35ed5

SHA256
b607812d64530b0360a2e518217ad23eb3650f4ccfd172dc9cdc0f1e0ab36704

SHA512
ce0c7864019a31f675b657f1941738398d91132244a0774c2a6e21dad22f69bd30e29c04b918387d1e34f4c6699aced5cc21124cd90f4edf74398d90233157f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dho.exe
Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dho.exe
Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe
Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
\Users\Admin\AppData\Local\Temp\DotBundle.exe
Filesize
484KB

MD5
1672e5c0687f5f7ec6de4f7d9b470408

SHA1
2c358e7a031ecefe505292682660db54e9f35ed5

SHA256
b607812d64530b0360a2e518217ad23eb3650f4ccfd172dc9cdc0f1e0ab36704

SHA512
ce0c7864019a31f675b657f1941738398d91132244a0774c2a6e21dad22f69bd30e29c04b918387d1e34f4c6699aced5cc21124cd90f4edf74398d90233157f8

Download Submit
\Users\Admin\AppData\Local\Temp\dho.exe
Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
memory/288-74-0x0000000000000000-mapping.dmp

Download
memory/288-79-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/288-83-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/536-80-0x0000000000000000-mapping.dmp

Download
memory/1664-70-0x0000000004680000-0x00000000046F0000-memory.dmp

Filesize
448KB

Download
memory/1664-66-0x00000000040D0000-0x000000000413C000-memory.dmp

Filesize
432KB

Download
memory/1664-72-0x0000000004AC5000-0x0000000004AD6000-memory.dmp

Filesize
68KB

Download
memory/1664-63-0x0000000000890000-0x0000000000910000-memory.dmp

Filesize
512KB

Download
memory/1664-59-0x0000000000000000-mapping.dmp

Download
memory/1664-69-0x0000000005F70000-0x000000000602C000-memory.dmp

Filesize
752KB

Download
memory/1664-68-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/1664-81-0x0000000004AC5000-0x0000000004AD6000-memory.dmp

Filesize
68KB

Download
memory/1664-67-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1752-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1980-71-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-56-0x0000000000000000-mapping.dmp

Download
memory/1980-78-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download