njrat | 15d5605f08420bd6b2ed02d9e08885e442c3f3e0bd4423b2ca7450f593799963

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xs6Wrp6hsMa5.exe
Size

32KB
MD5

9bb347432d6e8b9547423d3669480fea
SHA1

7fce085a31c86c3fadd50c4112de8a29ce6f56d3
SHA256

15d5605f08420bd6b2ed02d9e08885e442c3f3e0bd4423b2ca7450f593799963
SHA512

ba9bffb9b02941e464df8f4516067f18de769e56d1cfcce16e7c067b7bc07567a7e18ab3e22ebe5c3b662eeafbd71d2e9a01a17f2d6bb373a8a4b75842e88384
SSDEEP

384:I0bUe5XB4e0XmOntlXCpF7r/HWTztTUFQqzFfObbT:9T9Bu1tlQQ1bT

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

127.0.0.1:5552

Mutex

ea3787d063a

Attributes

reg_key
ea3787d063a
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2392	tmpFBE4.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	xs6Wrp6hsMa5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: 33	4664	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	4664	xs6Wrp6hsMa5.exe
Token: SeDebugPrivilege	2392	tmpFBE4.tmp.exe
Token: 33	2392	tmpFBE4.tmp.exe
Token: SeIncBasePriorityPrivilege	2392	tmpFBE4.tmp.exe
Token: 33	2392	tmpFBE4.tmp.exe
Token: SeIncBasePriorityPrivilege	2392	tmpFBE4.tmp.exe
Token: 33	2392	tmpFBE4.tmp.exe
Token: SeIncBasePriorityPrivilege	2392	tmpFBE4.tmp.exe
Token: 33	2392	tmpFBE4.tmp.exe
Token: SeIncBasePriorityPrivilege	2392	tmpFBE4.tmp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2392	4664	xs6Wrp6hsMa5.exe	90
PID 4664 wrote to memory of 2392	4664	xs6Wrp6hsMa5.exe	90
PID 4664 wrote to memory of 2392	4664	xs6Wrp6hsMa5.exe	90
PID 4664 wrote to memory of 4480	4664	xs6Wrp6hsMa5.exe	91
PID 4664 wrote to memory of 4480	4664	xs6Wrp6hsMa5.exe	91
PID 4664 wrote to memory of 4480	4664	xs6Wrp6hsMa5.exe	91

C:\Users\Admin\AppData\Local\Temp\xs6Wrp6hsMa5.exe
"C:\Users\Admin\AppData\Local\Temp\xs6Wrp6hsMa5.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\tmpFBE4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFBE4.tmp.exe" ..
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\xs6Wrp6hsMa5.exe"
  2⤵
  PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFBE4.tmp.exe

Filesize
32KB

MD5
4e201611cad91d124ca94677dbf1d326

SHA1
01931b16d63e08005ef8a51867365fd0ee0fa8a7

SHA256
0224a374969f35097463a3d3e5c6dc0c0989fd68c110487816adeacbece9ad9c

SHA512
934fe3f037389222485a9990dd0e971b1d3861e33e5d9eff87f07a1c5e955ebbdd0712a17ebcd2ccde38595638b68982e043e667534fa70a34efae3e2c6b52db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBE4.tmp.exe

Filesize
32KB

MD5
4e201611cad91d124ca94677dbf1d326

SHA1
01931b16d63e08005ef8a51867365fd0ee0fa8a7

SHA256
0224a374969f35097463a3d3e5c6dc0c0989fd68c110487816adeacbece9ad9c

SHA512
934fe3f037389222485a9990dd0e971b1d3861e33e5d9eff87f07a1c5e955ebbdd0712a17ebcd2ccde38595638b68982e043e667534fa70a34efae3e2c6b52db

Download Submit
memory/2392-139-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/2392-140-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4664-132-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4664-133-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4664-138-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download