njrat | 6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec

General

Target

a1a64f8671681ba96b48cfd025a42449.exe
Size

27KB
MD5

a1a64f8671681ba96b48cfd025a42449
SHA1

13369f1d952151f24a50ab3506ad1541677f46e3
SHA256

6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec
SHA512

d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6
SSDEEP

384:EL0M2XwBNOaLNOFs/Av2yeCP1BBvMl7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaSy:St220U0Wl7A/vMHTi9bD

Score

10^/10

njrat oliver persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Oliver

C2

3.126.224.214:19586

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

GeneratorV5Full.exe

pid process

768 GeneratorV5Full.exe

pid	process
768	GeneratorV5Full.exe

Drops startup file 2 IoCs

Processes:

a1a64f8671681ba96b48cfd025a42449.exeGeneratorV5Full.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	a1a64f8671681ba96b48cfd025a42449.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	GeneratorV5Full.exe

Loads dropped DLL 1 IoCs

Processes:

a1a64f8671681ba96b48cfd025a42449.exe

pid process

1672 a1a64f8671681ba96b48cfd025a42449.exe

pid	process
1672	a1a64f8671681ba96b48cfd025a42449.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1a64f8671681ba96b48cfd025a42449.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GeneratorV5Full.exe"	a1a64f8671681ba96b48cfd025a42449.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

GeneratorV5Full.exe

description	pid	process
Token: SeDebugPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe
Token: 33	768	GeneratorV5Full.exe
Token: SeIncBasePriorityPrivilege	768	GeneratorV5Full.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a1a64f8671681ba96b48cfd025a42449.exe

description	pid	process	target process
PID 1672 wrote to memory of 768	1672	a1a64f8671681ba96b48cfd025a42449.exe	GeneratorV5Full.exe
PID 1672 wrote to memory of 768	1672	a1a64f8671681ba96b48cfd025a42449.exe	GeneratorV5Full.exe
PID 1672 wrote to memory of 768	1672	a1a64f8671681ba96b48cfd025a42449.exe	GeneratorV5Full.exe
PID 1672 wrote to memory of 768	1672	a1a64f8671681ba96b48cfd025a42449.exe	GeneratorV5Full.exe
PID 1672 wrote to memory of 1704	1672	a1a64f8671681ba96b48cfd025a42449.exe	attrib.exe
PID 1672 wrote to memory of 1704	1672	a1a64f8671681ba96b48cfd025a42449.exe	attrib.exe
PID 1672 wrote to memory of 1704	1672	a1a64f8671681ba96b48cfd025a42449.exe	attrib.exe
PID 1672 wrote to memory of 1704	1672	a1a64f8671681ba96b48cfd025a42449.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1704 attrib.exe

pid	process
1704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a1a64f8671681ba96b48cfd025a42449.exe
"C:\Users\Admin\AppData\Local\Temp\a1a64f8671681ba96b48cfd025a42449.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe
"C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe"
2⤵
- Views/modifies file attributes
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe
Filesize
27KB

MD5
a1a64f8671681ba96b48cfd025a42449

SHA1
13369f1d952151f24a50ab3506ad1541677f46e3

SHA256
6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec

SHA512
d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe
Filesize
27KB

MD5
a1a64f8671681ba96b48cfd025a42449

SHA1
13369f1d952151f24a50ab3506ad1541677f46e3

SHA256
6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec

SHA512
d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
c1452b52650e680e2944d95c147792c4

SHA1
ea43c2c65dab0025bc6baf7204e53a753dd0040a

SHA256
2b6435f7e773215e1baaebfc6a99248d4a2957a361f5d21116eda472e8b8a83b

SHA512
22008295d0f01273bd10f913f2daf36dea199e7ba39c688b7aac7d7f0ac1696fe0563c24d611d538f0f177b6e97c723c95372d3b9a0148aea135a99507c7fbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1014B

MD5
0c43f3ae1462959c3b025fbc4b160134

SHA1
e7663491e99fede430a82ec32158b53c7b79472e

SHA256
8a86b2987e0ea6127f8f88520767b236d015287aa9d6bcaafc114eca95d32586

SHA512
4e97ce677aba702c938700fc23452dc408058f68054a84de915861da90dc4a9f34650facaf04ec4beac150d4a56be8ff95aafe730ad010bbf1fadb6c484aa05c

Download Submit
\Users\Admin\AppData\Local\Temp\GeneratorV5Full.exe
Filesize
27KB

MD5
a1a64f8671681ba96b48cfd025a42449

SHA1
13369f1d952151f24a50ab3506ad1541677f46e3

SHA256
6e1ebf0254015cbfe98dc308aaa75dd346309633e179f812174e564fb4b648ec

SHA512
d8fb283df634142ddb696dcfe82fa7530cf0a1cdf35cafed29a45c4de27db799014ba3fdec1ef8226bd28f6ebd3856ba1d7518f1789a6bc0dac8521fc60a0bb6

Download Submit
memory/768-57-0x0000000000000000-mapping.dmp

Download
memory/768-65-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/768-66-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-62-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads