njrat | 089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1

General

Target

089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
Size

2.3MB
MD5

686df444b5aba01a73b427ce6e1457ae
SHA1

0c8fbdfa9f81585f0a7752ad0175ddb317bb24d7
SHA256

089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1
SHA512

159e766a9f8a673f5964c9f27654c0833d2a9162bc53e070351e932206c3a962937b12835efa556e06de48e43924da2903ff83dca6514fe3df2fe0db121e9ec0
SSDEEP

24576:pwYZ4kGOYTnTDolUaNcTkkD9iSe87AAFmHs205LvLTV:uYpYTTDoXNcVoSe87FFmHB05Lv

Score

10^/10

njrat victime trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

victime

C2

achiille1607b.no-ip.biz:1177

Mutex

4d8f1dc021f465efab135a3c3a22d781

Attributes

reg_key
4d8f1dc021f465efab135a3c3a22d781
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

taskhost.exetaskhost.exe

pid process

4796 taskhost.exe
1644 taskhost.exe

pid	process
4796	taskhost.exe
1644	taskhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exetaskhost.exe

description	pid	process	target process
PID 4916 set thread context of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4796 set thread context of 1644	4796	taskhost.exe	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4408 1644 WerFault.exe taskhost.exe

pid	pid_target	process	target process
4408	1644	WerFault.exe	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
Token: SeDebugPrivilege	4796	taskhost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

taskhost.exe

pid process

1644 taskhost.exe

pid	process
1644	taskhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exetaskhost.exe

description	pid	process	target process
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4916 wrote to memory of 4532	4916	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
PID 4532 wrote to memory of 4796	4532	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	taskhost.exe
PID 4532 wrote to memory of 4796	4532	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	taskhost.exe
PID 4532 wrote to memory of 4796	4532	089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe
PID 4796 wrote to memory of 1644	4796	taskhost.exe	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
"C:\Users\Admin\AppData\Local\Temp\089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
C:\Users\Admin\AppData\Local\Temp\089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 12
5⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1644 -ip 1644
1⤵
PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1.exe.log
Filesize
522B

MD5
0f39d6b9afc039d81ff31f65cbf76826

SHA1
8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

SHA256
ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

SHA512
5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
2.3MB

MD5
686df444b5aba01a73b427ce6e1457ae

SHA1
0c8fbdfa9f81585f0a7752ad0175ddb317bb24d7

SHA256
089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1

SHA512
159e766a9f8a673f5964c9f27654c0833d2a9162bc53e070351e932206c3a962937b12835efa556e06de48e43924da2903ff83dca6514fe3df2fe0db121e9ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
2.3MB

MD5
686df444b5aba01a73b427ce6e1457ae

SHA1
0c8fbdfa9f81585f0a7752ad0175ddb317bb24d7

SHA256
089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1

SHA512
159e766a9f8a673f5964c9f27654c0833d2a9162bc53e070351e932206c3a962937b12835efa556e06de48e43924da2903ff83dca6514fe3df2fe0db121e9ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
2.3MB

MD5
686df444b5aba01a73b427ce6e1457ae

SHA1
0c8fbdfa9f81585f0a7752ad0175ddb317bb24d7

SHA256
089591f99c69e6171f1cdf225fbf69c7fd35eea67cf6a6e7c87651484378f5d1

SHA512
159e766a9f8a673f5964c9f27654c0833d2a9162bc53e070351e932206c3a962937b12835efa556e06de48e43924da2903ff83dca6514fe3df2fe0db121e9ec0

Download Submit
memory/1644-141-0x0000000000000000-mapping.dmp

Download
memory/4532-134-0x0000000000000000-mapping.dmp

Download
memory/4532-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4532-137-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/4796-138-0x0000000000000000-mapping.dmp

Download
memory/4916-132-0x0000000000010000-0x000000000025A000-memory.dmp

Filesize
2.3MB

Download
memory/4916-133-0x0000000004BF0000-0x0000000004C8C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads