njrat | 163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

General

Target

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Size

320KB
MD5

4e58b28c75b9b08b0e186092957e2bf0
SHA1

9352d6772eab4356c1179a64a7654a8fbccd33e0
SHA256

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399
SHA512

1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92
SSDEEP

6144:imIPHg6U7zLHeAecv8mRw+BhYsNz+MAiuKAf8bpArz0zmF:im8HP0nHxx8mm+jYsczHK+8bwz06F

Score

10^/10

njrat hack persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hack

C2

91.236.116.112:1604

Mutex

16bb9e8a80e81119cd60a1f6a7412350

Attributes

reg_key
16bb9e8a80e81119cd60a1f6a7412350
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exefolder.exe

pid process

4888 winlogon.exe
3340 winlogon.exe
2008 winlogon.exe
3836 folder.exe

pid	process
4888	winlogon.exe
3340	winlogon.exe
2008	winlogon.exe
3836	folder.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exewinlogon.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winlogon.exe

description pid process target process

PID 4888 set thread context of 2008 4888 winlogon.exe winlogon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4888 set thread context of 2008	4888	winlogon.exe	winlogon.exe

NTFS ADS 3 IoCs

Processes:

cmd.exe163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 4824 wrote to memory of 4468	4824	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	cmd.exe
PID 4824 wrote to memory of 4468	4824	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	cmd.exe
PID 4824 wrote to memory of 4888	4824	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	winlogon.exe
PID 4824 wrote to memory of 4888	4824	163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe	winlogon.exe
PID 4888 wrote to memory of 4236	4888	winlogon.exe	cmd.exe
PID 4888 wrote to memory of 4236	4888	winlogon.exe	cmd.exe
PID 4888 wrote to memory of 3340	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 3340	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 3340	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 4888 wrote to memory of 2008	4888	winlogon.exe	winlogon.exe
PID 2008 wrote to memory of 3836	2008	winlogon.exe	folder.exe
PID 2008 wrote to memory of 3836	2008	winlogon.exe	folder.exe
PID 2008 wrote to memory of 3836	2008	winlogon.exe	folder.exe

C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
"C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:4468

C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
3⤵
- NTFS ADS
PID:4236

C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
3⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\folder.exe
"C:\Users\Admin\AppData\Local\Temp\folder.exe"
4⤵
- Executes dropped EXE
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399.exe
Filesize
320KB

MD5
4e58b28c75b9b08b0e186092957e2bf0

SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0

SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\folder.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\folder.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
3KB

MD5
0f23e02eee910cca425990e1c2309541

SHA1
ae625a1f94396f82b8179a95873f8007a3e70604

SHA256
9bec436d55d25522e860306343d1617437e2a4fec68b4438282eb60510a7f517

SHA512
c7c88a84e36b32c1c2e6fe3890748f2857b7b4e96ca6a6d543f610446428f15a5f139be8abc577f8afde503c4c5269b5bf33731433be2ecd06a9da4497fd16ed

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
320KB

MD5
4e58b28c75b9b08b0e186092957e2bf0

SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0

SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
Filesize
320KB

MD5
4e58b28c75b9b08b0e186092957e2bf0

SHA1
9352d6772eab4356c1179a64a7654a8fbccd33e0

SHA256
163bb35336af099d211753e95823fd7ce30e9520d3735a1ec25749e979f59399

SHA512
1e57bf1f3bdc1f4c83a7dcf30471b3a4b1eb52e5c99795e3b9d2fdbb76c5e3c1ad066ad53917ccc941210f82c10301823f379a52806dcdaa40dfa14a18d4cb92

Download Submit
memory/2008-142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2008-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2008-143-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2008-145-0x000000000040747E-mapping.dmp

Download
memory/2008-148-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2008-153-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/3836-149-0x0000000000000000-mapping.dmp

Download
memory/3836-152-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4236-139-0x0000000000000000-mapping.dmp

Download
memory/4468-133-0x0000000000000000-mapping.dmp

Download
memory/4824-132-0x00007FFCC24A0000-0x00007FFCC2ED6000-memory.dmp

Filesize
10.2MB

Download
memory/4888-138-0x00007FFCC24A0000-0x00007FFCC2ED6000-memory.dmp

Filesize
10.2MB

Download
memory/4888-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads