njrat | f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

General

Target

Extreme.Injector.v2.4.5.-.by.master131.exe
Size

164KB
MD5

2fd45c4572749ca9537fde2dadf1b8dd
SHA1

77fce1f2295d640962321c15e628f374525f6689
SHA256

f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b
SHA512

7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f
SSDEEP

3072:hodc4/cHmSPrcerD+fR6DBBLzy7zRJZGuQkIJ4gRqE2uIE28uEwBZSZbM1hePf:mdHeDtUZabmO

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Google Crash Handler.exe

pid process

536 Google Crash Handler.exe

pid	process
536	Google Crash Handler.exe

Drops startup file 2 IoCs

Processes:

Google Crash Handler.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Crash Handler.exe	Google Crash Handler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Crash Handler.exe	Google Crash Handler.exe

Loads dropped DLL 1 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exe

pid process

1720 Extreme.Injector.v2.4.5.-.by.master131.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google Crash Handler.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Crash Handler.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Crash Handler.exe\" .."	Google Crash Handler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Crash Handler.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Crash Handler.exe\" .."	Google Crash Handler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

968 schtasks.exe
1536 schtasks.exe
792 schtasks.exe
1688 schtasks.exe

pid	process
968	schtasks.exe
1536	schtasks.exe
792	schtasks.exe
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exe

pid	process
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe
1720	Extreme.Injector.v2.4.5.-.by.master131.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exeGoogle Crash Handler.exe

description	pid	process
Token: SeDebugPrivilege	1720	Extreme.Injector.v2.4.5.-.by.master131.exe
Token: SeDebugPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe
Token: 33	536	Google Crash Handler.exe
Token: SeIncBasePriorityPrivilege	536	Google Crash Handler.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Extreme.Injector.v2.4.5.-.by.master131.exeGoogle Crash Handler.exe

description	pid	process	target process
PID 1720 wrote to memory of 1728	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1728	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1728	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1728	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1688	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1688	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1688	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 1688	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 368	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 368	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 368	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 368	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 968	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 968	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 968	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 968	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	schtasks.exe
PID 1720 wrote to memory of 536	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 1720 wrote to memory of 536	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 1720 wrote to memory of 536	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 1720 wrote to memory of 536	1720	Extreme.Injector.v2.4.5.-.by.master131.exe	Google Crash Handler.exe
PID 536 wrote to memory of 824	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 824	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 824	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 824	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1536	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1536	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1536	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1536	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1948	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1948	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1948	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 1948	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 792	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 792	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 792	536	Google Crash Handler.exe	schtasks.exe
PID 536 wrote to memory of 792	536	Google Crash Handler.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Extreme.Injector.v2.4.5.-.by.master131.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:968

C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
"C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:824

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:792

C:\Windows\system32\taskeng.exe
taskeng.exe {6D23BCC8-4E22-4E78-886D-25D582292D06} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
C:\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
\Users\Admin\AppData\Roaming\Google Crash Handler.exe
Filesize
164KB

MD5
2fd45c4572749ca9537fde2dadf1b8dd

SHA1
77fce1f2295d640962321c15e628f374525f6689

SHA256
f370694edebc6fea374b0ff45057d3d81d697422972c51ec9a27ab531cd39b3b

SHA512
7bfae6a212ddd96f58253960d5ddfdb217a1a39674e4927c43637a90466a841229303f080fbbce97e6dc30eb4b1b47909fa965072219ab6b35e7fd86e763a31f

Download Submit
memory/368-58-0x0000000000000000-mapping.dmp

Download
memory/536-75-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/536-74-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/536-73-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/536-69-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/536-62-0x0000000000000000-mapping.dmp

Download
memory/792-72-0x0000000000000000-mapping.dmp

Download
memory/824-68-0x0000000000000000-mapping.dmp

Download
memory/968-59-0x0000000000000000-mapping.dmp

Download
memory/1536-70-0x0000000000000000-mapping.dmp

Download
memory/1688-57-0x0000000000000000-mapping.dmp

Download
memory/1720-67-0x00000000004C5000-0x00000000004D6000-memory.dmp

Filesize
68KB

Download
memory/1720-66-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-60-0x00000000004C5000-0x00000000004D6000-memory.dmp

Filesize
68KB

Download
memory/1720-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1720-56-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/1948-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads