njrat | 5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

General

Target

0edd453764ea4156966727e07bcec79a.exe
Size

47KB
MD5

0edd453764ea4156966727e07bcec79a
SHA1

892d9f39638b3b4046acaab4de5bfacb7335b4a2
SHA256

5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d
SHA512

24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96
SSDEEP

384:wZyqjwolYxOoyi0ytYcm6MNiMFQVa9D9O5UE5QzwBlpJNakkjh/TzF7pWnn1grel:2IouIli0kYDviqWvQO+er+L4X

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

7.tcp.eu.ngrok.io:10504

Mutex

Discord Update

Attributes

reg_key
Discord Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

systemupdate.exe

pid process

532 systemupdate.exe

pid	process
532	systemupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0edd453764ea4156966727e07bcec79a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0edd453764ea4156966727e07bcec79a.exe

Drops startup file 2 IoCs

Processes:

systemupdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe	systemupdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord Update.exe	systemupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systemupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .."	systemupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemupdate.exe\" .."	systemupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

0edd453764ea4156966727e07bcec79a.exesystemupdate.exe

pid process

4808 0edd453764ea4156966727e07bcec79a.exe
532 systemupdate.exe

pid	process
4808	0edd453764ea4156966727e07bcec79a.exe
532	systemupdate.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

systemupdate.exe

description	pid	process
Token: SeDebugPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe
Token: 33	532	systemupdate.exe
Token: SeIncBasePriorityPrivilege	532	systemupdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0edd453764ea4156966727e07bcec79a.exe

description	pid	process	target process
PID 4808 wrote to memory of 532	4808	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 4808 wrote to memory of 532	4808	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe
PID 4808 wrote to memory of 532	4808	0edd453764ea4156966727e07bcec79a.exe	systemupdate.exe

C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe
"C:\Users\Admin\AppData\Local\Temp\0edd453764ea4156966727e07bcec79a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
"C:\Users\Admin\AppData\Local\Temp\systemupdate.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
47KB

MD5
0edd453764ea4156966727e07bcec79a

SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2

SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemupdate.exe
Filesize
47KB

MD5
0edd453764ea4156966727e07bcec79a

SHA1
892d9f39638b3b4046acaab4de5bfacb7335b4a2

SHA256
5dce060530255df2db5e5dc505f505ad5d169e8c5586c189659a3ca0e8c0459d

SHA512
24df614d28993df542caadac6a4c9819a083321fc0babd2ce73467ab53b4bdf5a82658eb84198be61d09ce97b68d1dd73c8f516f34ce8f29edb3103ad1cdda96

Download Submit
memory/532-133-0x0000000000000000-mapping.dmp

Download
memory/532-137-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/532-138-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4808-132-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4808-136-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads