njrat | 0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60

General

Target

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
Size

366KB
MD5

a14b4405f4f6bbdecd95dfe12f6a8fc3
SHA1

e05fa32c6b856ce97a6c72c522e3c344fdd387c3
SHA256

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60
SHA512

9f2af3a349ca33fd2f68476fa87cc50ce7143c653daee55e41fe9deb980d208b320c8baa1248a2af037a2d826a6e5d6e648d87110c51f7c0159dd52e991dfa90
SSDEEP

6144:CuNUGc+PIaSgm56pWiifTdy0v50Cb6Vku0XiPClM7NNnpy1NqX07rA7b:hJc+P6r5CWinMHCZgWNNnw1NqE7rC

Score

10^/10

njrat xxxriezoaaxxx trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

XxxRIEZOaaXXX

C2

hasvan212.ddns.net:81

Mutex

5f805e177fa7c673482c92c255460b67

Attributes

reg_key
5f805e177fa7c673482c92c255460b67
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

tMDpNGrjCCImVvEL6KWU.exeSystem.exe

pid process

4492 tMDpNGrjCCImVvEL6KWU.exe
3524 System.exe

pid	process
4492	tMDpNGrjCCImVvEL6KWU.exe
3524	System.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exetMDpNGrjCCImVvEL6KWU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tMDpNGrjCCImVvEL6KWU.exe

Drops file in Windows directory 2 IoCs

Processes:

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exetMDpNGrjCCImVvEL6KWU.exe

description	pid	process	target process
PID 388 wrote to memory of 4492	388	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 388 wrote to memory of 4492	388	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 388 wrote to memory of 4492	388	0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe	tMDpNGrjCCImVvEL6KWU.exe
PID 4492 wrote to memory of 3524	4492	tMDpNGrjCCImVvEL6KWU.exe	System.exe
PID 4492 wrote to memory of 3524	4492	tMDpNGrjCCImVvEL6KWU.exe	System.exe
PID 4492 wrote to memory of 3524	4492	tMDpNGrjCCImVvEL6KWU.exe	System.exe

C:\Users\Admin\AppData\Local\Temp\0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe
"C:\Users\Admin\AppData\Local\Temp\0ce8e23976298201accb8f85d6283730b86c53b23e597f8a81809eccf7b5aa60.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
"C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Roaming\System.exe
"C:\Users\Admin\AppData\Roaming\System.exe"
3⤵
- Executes dropped EXE
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMDpNGrjCCImVvEL6KWU.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
Filesize
60KB

MD5
1de56f2dea95b4bc492237c826f48797

SHA1
e055599b87286ecd686611b711bbe27227795aa6

SHA256
36b37310012809b7dc90ebed7c016060c90069630c93297ed293dc24f876baf5

SHA512
b764a92275a757e006a6c1166124666f571762611e3f703c231ba0d3e5ab813f954481912ceb35ecfd9e3e1f672f176e34915c4f7c88cfe3117f7502d3c50ee2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
d545ecb28b76832d72d06c7f22de3fe4

SHA1
abb79f930e1d672de893881de960fe1c8623dfaf

SHA256
b27e75e661542a9f08574aa747e3a139c1d776276b68cd1557ce9af51549b820

SHA512
0732a913b63c936901fcd7e45309024b7398378aecf906afe35a5d0f3f54832fb10e5a5adbaac30e94490063a4fbcf8caaa7b744807ec97cd99523520844720c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
d545ecb28b76832d72d06c7f22de3fe4

SHA1
abb79f930e1d672de893881de960fe1c8623dfaf

SHA256
b27e75e661542a9f08574aa747e3a139c1d776276b68cd1557ce9af51549b820

SHA512
0732a913b63c936901fcd7e45309024b7398378aecf906afe35a5d0f3f54832fb10e5a5adbaac30e94490063a4fbcf8caaa7b744807ec97cd99523520844720c

Download Submit
memory/388-138-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download
memory/388-133-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download
memory/388-132-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download
memory/3524-139-0x0000000000000000-mapping.dmp

Download
memory/3524-145-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download
memory/3524-146-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download
memory/4492-134-0x0000000000000000-mapping.dmp

Download
memory/4492-137-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download
memory/4492-144-0x0000000074BD0000-0x0000000075181000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads