njrat | 5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

General

Target

0edd453764ea4156966727e07bcec79a.exe
Size

47KB
MD5

0edd453764ea4156966727e07bcec79a
SHA1

892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA256

5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA512

24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
SSDEEP

384:wZyqjwolYxOoyi0ytYcm6MNiMFQVa9D9O5UE5QzwBlpJNakkjh/TzF7pWnn1grel:2IouIli0kYDviqWvQO+er+L4X

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

7.tcp.eu.ngrok.io:10504

Mutex

Discord Update

Attributes

reg_key
Discord Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

systemupdate.exe

pid process

1956 systemupdate.exe

pid	process
1956	systemupdate.exe

Drops startup file 2 IoCs

Processes:

systemupdate.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe	systemupdate.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe	systemupdate.exe

Loads dropped DLL 1 IoCs

Processes:

0edd453764ea4156966727e07bcec79a.exe

pid process

1720 0edd453764ea4156966727e07bcec79a.exe

pid	process
1720	0edd453764ea4156966727e07bcec79a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systemupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .."	systemupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .."	systemupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

systemupdate.exe

pid process

1956 systemupdate.exe

pid	process
1956	systemupdate.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

systemupdate.exe

description	pid	process
Token: SeDebugPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe
Token: 33	1956	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1956	systemupdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0edd453764ea4156966727e07bcec79a.exe

description	pid	process	target process
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 1720 wrote to memory of 1956	1720	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe

C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe
"C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
47KB

MD5
0edd453764ea4156966727e07bcec79a

SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2

SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
47KB

MD5
0edd453764ea4156966727e07bcec79a

SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2

SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96

Download Submit
\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
47KB

MD5
0edd453764ea4156966727e07bcec79a

SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2

SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96

Download Submit
memory/1720-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-61-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/1956-62-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-63-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads