njrat | 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Size

320KB
MD5

4e58b28c75b9b08b0e186092957e2bf0
SHA1

9352d6772eab4356c1179a64a7654a8fbccd33e0
SHA256

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399
SHA512

1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92
SSDEEP

6144:imIPHg6U7zLHeAecv8mRw+BhYsNz+MAiuKAf8bpArz0zmF:im8HP0nHxx8mm+jYsczHK+8bwz06F

Score

10^/10

njrat hack persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hack

91.236.116.112:1604

Mutex

16bb9e8a80e81119cd60a1f6a7412350

Attributes

reg_key
16bb9e8a80e81119cd60a1f6a7412350
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

winlogon.exewinlogon.exefolder.exe

pid process

316 winlogon.exe
764 winlogon.exe
1924 folder.exe
Loads dropped DLL 2 IoCs

Processes:

winlogon.exe

pid process

764 winlogon.exe
764 winlogon.exe

pid	process
316	winlogon.exe
764	winlogon.exe
1924	folder.exe

pid	process
764	winlogon.exe
764	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winlogon.exe

description pid process target process

PID 316 set thread context of 764 316 winlogon.exe winlogon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 316 set thread context of 764	316	winlogon.exe	winlogon.exe

NTFS ADS 3 IoCs

Processes:

cmd.execmd.exe163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 1672 wrote to memory of 1612	1672	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	cmd.exe
PID 1672 wrote to memory of 1612	1672	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	cmd.exe
PID 1672 wrote to memory of 1612	1672	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	cmd.exe
PID 1672 wrote to memory of 316	1672	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	winlogon.exe
PID 1672 wrote to memory of 316	1672	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	winlogon.exe
PID 1672 wrote to memory of 316	1672	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	winlogon.exe
PID 316 wrote to memory of 952	316	winlogon.exe	cmd.exe
PID 316 wrote to memory of 952	316	winlogon.exe	cmd.exe
PID 316 wrote to memory of 952	316	winlogon.exe	cmd.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 316 wrote to memory of 764	316	winlogon.exe	winlogon.exe
PID 764 wrote to memory of 1924	764	winlogon.exe	folder.exe
PID 764 wrote to memory of 1924	764	winlogon.exe	folder.exe
PID 764 wrote to memory of 1924	764	winlogon.exe	folder.exe
PID 764 wrote to memory of 1924	764	winlogon.exe	folder.exe

C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
"C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:1612

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
3⤵
- NTFS ADS
PID:952

C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\folder.exe
"C:\Users\Admin\AppData\Local\Temp\folder.exe"
4⤵
- Executes dropped EXE
PID:1924

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Filesize
320KB

MD5
4e58b28c75b9b08b0e186092957e2bf0

SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0

SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\folder.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\folder.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
320KB

MD5
4e58b28c75b9b08b0e186092957e2bf0

SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0

SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
320KB

MD5
4e58b28c75b9b08b0e186092957e2bf0

SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0

SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

Download Submit
\Users\Admin\AppData\Local\Temp\folder.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
\Users\Admin\AppData\Local\Temp\folder.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
memory/316-58-0x0000000000000000-mapping.dmp

Download
memory/316-61-0x000007FEF3890000-0x000007FEF42B3000-memory.dmp

Filesize
10.1MB

Download
memory/316-62-0x000007FEF27F0000-0x000007FEF3886000-memory.dmp

Filesize
16.6MB

Download
memory/764-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/764-81-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/764-88-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/764-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/764-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/764-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/764-78-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/764-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/764-80-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/764-73-0x000000000040747E-mapping.dmp

Download
memory/764-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/952-63-0x0000000000000000-mapping.dmp

Download
memory/1612-56-0x0000000000000000-mapping.dmp

Download
memory/1672-55-0x000007FEF2F50000-0x000007FEF3FE6000-memory.dmp

Filesize
16.6MB

Download
memory/1672-54-0x000007FEF4230000-0x000007FEF4C53000-memory.dmp

Filesize
10.1MB

Download
memory/1924-84-0x0000000000000000-mapping.dmp

Download
memory/1924-89-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads