njrat | eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9

Analysis

max time kernel
193s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Size

1003KB
MD5

7246a9eea074161e8ad973fd2906ed6e
SHA1

c204ca7a88601774f11e12daad47ec7d484e4e76
SHA256

eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9
SHA512

7af1a680c26d6074e4b9660de14d5d9249057d4a6c7beec146ce1297163277a2e2e3cc091afeca4e8633ffc0c734c11fc18a82f3b368c1bcac52ce85c7e7413f
SSDEEP

24576:Z5VmxtbjHpREieEYWQh/NFnNSq2weE3/ld2pAgf:ZetbDpREieJWQh1FnNSUeE3/uDf

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

fuckitup.duckdns.org:9500

Mutex

0adadcdb5e6b6e26de0c7929b0a1d3d7

Attributes

reg_key
0adadcdb5e6b6e26de0c7929b0a1d3d7
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2648	File.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4044	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	File.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\BASSMOD.dll	File.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 688 set thread context of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
File opened for modification	C:\Windows\assembly	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: SeIncBasePriorityPrivilege	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	2676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2676	AUDIODG.EXE
Token: SeDebugPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: SeDebugPrivilege	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: SeIncBasePriorityPrivilege	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: SeIncBasePriorityPrivilege	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	2648	File.exe
Token: SeIncBasePriorityPrivilege	2648	File.exe
Token: 33	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: SeIncBasePriorityPrivilege	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
Token: 33	2648	File.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2648	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	82
PID 688 wrote to memory of 2648	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	82
PID 688 wrote to memory of 2648	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	82
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 688 wrote to memory of 3740	688	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	83
PID 3740 wrote to memory of 4044	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	87
PID 3740 wrote to memory of 4044	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	87
PID 3740 wrote to memory of 4044	3740	eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe	87

C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
"C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
  C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe" "eeb4d8700a4795e2b84f7ae509f1ce0e62b4f525e354a21f45c66425b11f3ba9.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
152KB

MD5
86876e49f7f1f48e5c57fddd3b39f21a

SHA1
d6069a67f5d43d1a8db62d4d3cc03dddd6c682d1

SHA256
e8460de213cc97a76809d029862435d32c9c2a720a8271b244b5a9971023e6ec

SHA512
11d64930dae3b9e6d42b40c4b15af1155a0fad2e22cd28f49bc03e25775cc99ec7f5df1d643db49dcb6f7e2ff1cf251624d2c57bc4fdb149bdfa05c78b14128c

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
152KB

MD5
86876e49f7f1f48e5c57fddd3b39f21a

SHA1
d6069a67f5d43d1a8db62d4d3cc03dddd6c682d1

SHA256
e8460de213cc97a76809d029862435d32c9c2a720a8271b244b5a9971023e6ec

SHA512
11d64930dae3b9e6d42b40c4b15af1155a0fad2e22cd28f49bc03e25775cc99ec7f5df1d643db49dcb6f7e2ff1cf251624d2c57bc4fdb149bdfa05c78b14128c

Download Submit
C:\Windows\SysWOW64\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/688-144-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/688-133-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/688-132-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/2648-147-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2648-139-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/2648-145-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/2648-142-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3740-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3740-141-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/3740-146-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download