njrat | 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900

General

Target

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Size

192KB
MD5

943f756626ce91cde9b9246e26642039
SHA1

a633aa256f687d95fa746efcb8d8c55da309b879
SHA256

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900
SHA512

125109e78c64516b30de6d757c5d36e8d69ecc8efb3e4a9780e8a2ba130ad3d079b6f702023d353e6168a2d14cf0357482373047fd02b7edc29ffc266323bee8
SSDEEP

3072:E2tbXewZT3vviEj3IbQhbElPYSIeXkOAAeSTYSijsFCOJHeI6Awd:E2tbX/v8bQ653BXktVSsTSCOhDc

Score

10^/10

njrat slave evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Slave

C2

shadowraze.ddns.net:6357

Mutex

35030464d16f3980d0eef2fa9a17c25f

Attributes

reg_key
35030464d16f3980d0eef2fa9a17c25f
splitter
|'|'|

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

notepad .exe

pid process

4896 notepad .exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2804 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe

pid	process
4896	notepad .exe

pid	process
2804	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

description	pid	process	target process
PID 3096 set thread context of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

pid	process
3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Token: 33	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Token: SeIncBasePriorityPrivilege	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Token: SeDebugPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe
Token: 33	4896	notepad .exe
Token: SeIncBasePriorityPrivilege	4896	notepad .exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.execmd.exewscript.execmd.exenotepad .exe

description	pid	process	target process
PID 3096 wrote to memory of 4844	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 3096 wrote to memory of 4844	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 3096 wrote to memory of 4844	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 3096 wrote to memory of 4896	3096	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 4844 wrote to memory of 3220	4844	cmd.exe	wscript.exe
PID 4844 wrote to memory of 3220	4844	cmd.exe	wscript.exe
PID 4844 wrote to memory of 3220	4844	cmd.exe	wscript.exe
PID 3220 wrote to memory of 3124	3220	wscript.exe	cmd.exe
PID 3220 wrote to memory of 3124	3220	wscript.exe	cmd.exe
PID 3220 wrote to memory of 3124	3220	wscript.exe	cmd.exe
PID 3124 wrote to memory of 1388	3124	cmd.exe	reg.exe
PID 3124 wrote to memory of 1388	3124	cmd.exe	reg.exe
PID 3124 wrote to memory of 1388	3124	cmd.exe	reg.exe
PID 4896 wrote to memory of 2804	4896	notepad .exe	netsh.exe
PID 4896 wrote to memory of 2804	4896	notepad .exe	netsh.exe
PID 4896 wrote to memory of 2804	4896	notepad .exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
"C:\Users\Admin\AppData\Local\Temp\34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:1388

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\notepad .exe" "notepad .exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
192KB

MD5
943f756626ce91cde9b9246e26642039

SHA1
a633aa256f687d95fa746efcb8d8c55da309b879

SHA256
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900

SHA512
125109e78c64516b30de6d757c5d36e8d69ecc8efb3e4a9780e8a2ba130ad3d079b6f702023d353e6168a2d14cf0357482373047fd02b7edc29ffc266323bee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
4a348e658b3bece507de24309737f37e

SHA1
4abb0d9acf447d8ae8f2c4ffbdde71f74df0eb6e

SHA256
fe0ccea8e63ad44a98bce2497dede9f5387c4596427e847686f7595301b1e15f

SHA512
c285c3c8f5cbf16d1351d3771abec41970eb0c47211d6102057367f0aa5674ee745520aafa55f4383f6386bb1ec9b5329705added4d75a77ba58dcdc487c0ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/1388-144-0x0000000000000000-mapping.dmp

Download
memory/2804-148-0x0000000000000000-mapping.dmp

Download
memory/3096-132-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3096-145-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3096-147-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3124-143-0x0000000000000000-mapping.dmp

Download
memory/3220-139-0x0000000000000000-mapping.dmp

Download
memory/4844-133-0x0000000000000000-mapping.dmp

Download
memory/4896-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4896-141-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4896-134-0x0000000000000000-mapping.dmp

Download
memory/4896-149-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads