njrat | 60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09

General

Target

60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe
Size

1004KB
MD5

d8fda79b33ad8f9c064d5e34d7d531cc
SHA1

d6cf699c77a1f09282ebdbd54558a693d3d8f8a1
SHA256

60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09
SHA512

5edb485e9e4f1a28bd3439a0486e294de0c7e092d1df2f6f555f90751b269f2a5cb904ed6d0245a5d53c693c8b3df2165ecd536f8a09b3a14ee964bba5321f9b
SSDEEP

12288:hK2mhAMJ/cPlcp8vxN+dF18h7UZYE82Y5UKUL4n4y3Xp3SbSl4haiE:Q2O/Glcp85NWS7g6zwm4m53Sb24JE

Score

10^/10

njrat billy evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BILLY

C2

yorkiepet.ddns.net:770

Mutex

90ff45fa0a0eb5c410aa83abde1bbdcd

Attributes

reg_key
90ff45fa0a0eb5c410aa83abde1bbdcd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

dacorcy.exe

pid process

4104 dacorcy.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1028 netsh.exe

pid	process
1028	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dacorcy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	dacorcy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\BU8271~1 = "C:\\Users\\Admin\\BU8271~1\\nslgdr.vbs"	dacorcy.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dacorcy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dacorcy.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dacorcy.exe

description pid process target process

PID 4104 set thread context of 1648 4104 dacorcy.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dacorcy.exe

description	pid	process	target process
PID 4104 set thread context of 1648	4104	dacorcy.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dacorcy.exe

pid	process
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe
4104	dacorcy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dacorcy.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	1648	RegSvcs.exe
Token: 33	1648	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1648	RegSvcs.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: 33	1648	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1648	RegSvcs.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe
Token: SeDebugPrivilege	4104	dacorcy.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exedacorcy.exeRegSvcs.exe

description	pid	process	target process
PID 2424 wrote to memory of 4104	2424	60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe	dacorcy.exe
PID 2424 wrote to memory of 4104	2424	60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe	dacorcy.exe
PID 2424 wrote to memory of 4104	2424	60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe	dacorcy.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 4104 wrote to memory of 1648	4104	dacorcy.exe	RegSvcs.exe
PID 1648 wrote to memory of 1028	1648	RegSvcs.exe	netsh.exe
PID 1648 wrote to memory of 1028	1648	RegSvcs.exe	netsh.exe
PID 1648 wrote to memory of 1028	1648	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe
"C:\Users\Admin\AppData\Local\Temp\60608e45d331927b114d3f72cfd78d324f74624da77659bfb51fc3fab3694d09.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\bu82712949adhi\dacorcy.exe
"C:\Users\Admin\bu82712949adhi\dacorcy.exe" jozngrpxthpu
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "RegSvcs.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\BU8271~1\lvgefuwxc.ELF
Filesize
175B

MD5
7c70e81a236c0010a36dc156d81bf960

SHA1
1ed6ff2c1b58fb69aa29d1890a78e9b853373cbd

SHA256
8899c78153e7957715dba83d72daa00af4a4af1f462bbf544a1d974349f8539c

SHA512
e3e8626232da5cb5b70ef8260388689f16d71f7e73d927a34eaca5c463cece8ceba877d3ed62df74e46aa1430bbad833f085d342b360ae6ac2a40e08abc757a7

Download Submit
C:\Users\Admin\BU8271~1\wtpq.CVI
Filesize
23KB

MD5
dfe20a533e594f216ce1b47c0b871e78

SHA1
dbe407d172635250141e6fc93276bd98bf5e0556

SHA256
a5361fc86f1476823e5f3e1e1b3b726270f5624186e49c29b36603e147d64bd8

SHA512
930a3c2f4b9a2d66348b3ea69b02b28a54004600115049913b3e3c1334e93caf2306007e5c40e596126e61e2ba1b2c0832a020349e983ed53bbb6e43535089f0

Download Submit
C:\Users\Admin\bu82712949adhi\dacorcy.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\bu82712949adhi\dacorcy.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\bu82712949adhi\jozngrpxthpu
Filesize
306.2MB

MD5
aff787634fb5b108d751eb5d52dbc3ce

SHA1
a84983d6f2474d423041cc7afa23ffe4481b509b

SHA256
27abc51e5bb387d2df09a99a12366f7a80f3254877875776fb2b670984a04b60

SHA512
66b7523321e46270d611ea907a537538e057521333093c5f87465567c8aa2068edc0635a2735b90ca3538d427e334c91a89e299263b9d830d09a470074ce05a5

Download Submit
memory/1028-141-0x0000000000000000-mapping.dmp

Download
memory/1648-138-0x0000000000000000-mapping.dmp

Download
memory/1648-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1648-140-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1648-142-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4104-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads