njrat | 0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60

General

Target

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
Size

366KB
MD5

a14b4405f4f6bbdecd95dfe12f6a8fc3
SHA1

e05fa32c6b856ce97a6c72c522e3c344fdd387c3
SHA256

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60
SHA512

9f2af3a349ca33fd2f68476fa87cc50ce7143c653daee55e41fe9deb980d208b320c8baa1248a2af037a2d826a6e5d6e648d87110c51f7c0159dd52e991dfa90
SSDEEP

6144:CuNUGc+PIaSgm56pWiifTdy0v50Cb6Vku0XiPClM7NNnpy1NqX07rA7b:hJc+P6r5CWinMHCZgWNNnw1NqE7rC

Score

10^/10

njrat xxxriezoaaxxx evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

XxxRIEZOaaXXX

C2

hasvan212.ddns.net:81

Mutex

5f805e177fa7c673482c92c255460b67

Attributes

reg_key
5f805e177fa7c673482c92c255460b67
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

tMDpNGrjCCImVvEL6KWU.exeSystem.exe

pid process

1508 tMDpNGrjCCImVvEL6KWU.exe
580 System.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1652 netsh.exe

pid	process
1508	tMDpNGrjCCImVvEL6KWU.exe
580	System.exe

pid	process
1652	netsh.exe

Drops startup file 2 IoCs

Processes:

System.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f805e177fa7c673482c92c255460b67.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f805e177fa7c673482c92c255460b67.exe	System.exe

Loads dropped DLL 2 IoCs

Processes:

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exetMDpNGrjCCImVvEL6KWU.exe

pid process

1412 0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
1508 tMDpNGrjCCImVvEL6KWU.exe

pid	process
1412	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
1508	tMDpNGrjCCImVvEL6KWU.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5f805e177fa7c673482c92c255460b67 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .."	System.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f805e177fa7c673482c92c255460b67 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .."	System.exe

Drops file in Windows directory 2 IoCs

Processes:

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

System.exe

pid	process
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe
580	System.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

System.exe

description pid process

Token: SeDebugPrivilege 580 System.exe

description	pid	process
Token: SeDebugPrivilege	580	System.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exetMDpNGrjCCImVvEL6KWU.exeSystem.exe

description	pid	process	target process
PID 1412 wrote to memory of 1508	1412	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 1412 wrote to memory of 1508	1412	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 1412 wrote to memory of 1508	1412	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 1412 wrote to memory of 1508	1412	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 1508 wrote to memory of 580	1508	tMDpNGrjCCImVvEL6KWU.exe	System.exe
PID 1508 wrote to memory of 580	1508	tMDpNGrjCCImVvEL6KWU.exe	System.exe
PID 1508 wrote to memory of 580	1508	tMDpNGrjCCImVvEL6KWU.exe	System.exe
PID 1508 wrote to memory of 580	1508	tMDpNGrjCCImVvEL6KWU.exe	System.exe
PID 580 wrote to memory of 1652	580	System.exe	netsh.exe
PID 580 wrote to memory of 1652	580	System.exe	netsh.exe
PID 580 wrote to memory of 1652	580	System.exe	netsh.exe
PID 580 wrote to memory of 1652	580	System.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
"C:\Users\Admin\AppData\Local\Temp\0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
"C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\System.exe
"C:\Users\Admin\AppData\Roaming\System.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System.exe" "System.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
0a53071e97c95ae1ae3a1be17a8a34fd

SHA1
e88a36b828a5b69526165ed452aaf454ab2261a3

SHA256
84984e8d2acd039020759528c7d8b5328564ffe25f4ceb6ca278419b66cb715b

SHA512
49b956192005d395c7ee317571f7808bc406f11d22866bbb7cd2520350ab69d6387ec91f2cf91e39316d19a2e1cc0f6bb8ba997fe238a22041232eacc652fd42

Download Submit
\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
\Users\Admin\AppData\Roaming\System.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
memory/580-64-0x0000000000000000-mapping.dmp

Download
memory/580-69-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/580-74-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1412-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1412-56-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1412-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1412-71-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-62-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-58-0x0000000000000000-mapping.dmp

Download
memory/1508-70-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads