njrat | 0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7

General

Target

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe
Size

721KB
MD5

7961af50b6a6802d418e02717ec1744f
SHA1

bea5538b4336b8443caadd0b4ebc405850982fe8
SHA256

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7
SHA512

d859792d648e463f77f51ea1375320adff97db4dca0c2602442329fb970651d1d8f8214e8312a0c5cb635ec62f2d59f167036d4d5dd39be64ddad977681e444c
SSDEEP

12288:IQ/Z6mhgZIuDBo9dn4GgLnK2hZPSggmwQLvu/K9HLPISgd/YUQYqOKopVG60r:n/ZHhzgBCd4T1LOm92YpiZqhoM

Score

10^/10

njrat طلياني ذو الفقار evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

طلياني ذو الفقار

C2

murtadha1233.ddns.net:3546

Mutex

bbbe3c05a425e3d90a440ccd640f4d4a

Attributes

reg_key
bbbe3c05a425e3d90a440ccd640f4d4a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

7.exeDotBundle.exedho.exe

pid process

2124 7.exe
1268 DotBundle.exe
1092 dho.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5072 netsh.exe

pid	process
2124	7.exe
1268	DotBundle.exe
1092	dho.exe

pid	process
5072	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7.exe0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dho.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbbe3c05a425e3d90a440ccd640f4d4a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dho.exe\" .."	dho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bbbe3c05a425e3d90a440ccd640f4d4a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dho.exe\" .."	dho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DotBundle.exe

pid	process
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe
1268	DotBundle.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

DotBundle.exedho.exe

description	pid	process
Token: SeDebugPrivilege	1268	DotBundle.exe
Token: SeDebugPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe
Token: 33	1092	dho.exe
Token: SeIncBasePriorityPrivilege	1092	dho.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe7.exedho.exe

description	pid	process	target process
PID 4020 wrote to memory of 2124	4020	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 4020 wrote to memory of 2124	4020	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 4020 wrote to memory of 2124	4020	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	7.exe
PID 4020 wrote to memory of 1268	4020	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 4020 wrote to memory of 1268	4020	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 4020 wrote to memory of 1268	4020	0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe	DotBundle.exe
PID 2124 wrote to memory of 1092	2124	7.exe	dho.exe
PID 2124 wrote to memory of 1092	2124	7.exe	dho.exe
PID 2124 wrote to memory of 1092	2124	7.exe	dho.exe
PID 1092 wrote to memory of 5072	1092	dho.exe	netsh.exe
PID 1092 wrote to memory of 5072	1092	dho.exe	netsh.exe
PID 1092 wrote to memory of 5072	1092	dho.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe
"C:\Users\Admin\AppData\Local\Temp\0ee0b78189f94c5f95f84aca68d6718554938a714157af2c939a00a5d606a7a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\dho.exe
    "C:\Users\Admin\AppData\Local\Temp\dho.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dho.exe" "dho.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5072
- C:\Users\Admin\AppData\Local\Temp\DotBundle.exe
  "C:\Users\Admin\AppData\Local\Temp\DotBundle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotBundle.exe

Filesize
484KB

MD5
1672e5c0687f5f7ec6de4f7d9b470408

SHA1
2c358e7a031ecefe505292682660db54e9f35ed5

SHA256
b607812d64530b0360a2e518217ad23eb3650f4ccfd172dc9cdc0f1e0ab36704

SHA512
ce0c7864019a31f675b657f1941738398d91132244a0774c2a6e21dad22f69bd30e29c04b918387d1e34f4c6699aced5cc21124cd90f4edf74398d90233157f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotBundle.exe

Filesize
484KB

MD5
1672e5c0687f5f7ec6de4f7d9b470408

SHA1
2c358e7a031ecefe505292682660db54e9f35ed5

SHA256
b607812d64530b0360a2e518217ad23eb3650f4ccfd172dc9cdc0f1e0ab36704

SHA512
ce0c7864019a31f675b657f1941738398d91132244a0774c2a6e21dad22f69bd30e29c04b918387d1e34f4c6699aced5cc21124cd90f4edf74398d90233157f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dho.exe

Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dho.exe

Filesize
204KB

MD5
cd7699ab05f7ed57f1711d5e11d43cb6

SHA1
7fb67b09a73e11d83af6d67204348870149aaba1

SHA256
70e40a407e4feb3b9467aea1b7bf3ab394252933b0e2cb1957ff3450a9e28e61

SHA512
84e785322c36e6227d28667f1e827fcdbfb6e9fee54b3a84c208a8e88e5fd6adaa19b127b9f092c732157e13e7ffb7be20779356892304fc79f24586cce8686f

Download Submit
memory/1092-145-0x0000000000000000-mapping.dmp

Download
memory/1092-152-0x0000000074080000-0x0000000074631000-memory.dmp

Filesize
5.7MB

Download
memory/1092-149-0x0000000074080000-0x0000000074631000-memory.dmp

Filesize
5.7MB

Download
memory/1268-135-0x0000000000000000-mapping.dmp

Download
memory/1268-150-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/1268-154-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/1268-144-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/1268-141-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/1268-138-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/1268-153-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/1268-142-0x00000000083B0000-0x00000000083BA000-memory.dmp

Filesize
40KB

Download
memory/1268-140-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/2124-148-0x0000000074080000-0x0000000074631000-memory.dmp

Filesize
5.7MB

Download
memory/2124-139-0x0000000074080000-0x0000000074631000-memory.dmp

Filesize
5.7MB

Download
memory/2124-132-0x0000000000000000-mapping.dmp

Download
memory/2124-143-0x0000000074080000-0x0000000074631000-memory.dmp

Filesize
5.7MB

Download
memory/5072-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads