njrat | 697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7e71cb15f3a654bd603ecc875126b5.exe
Size

25KB
MD5

0c7e71cb15f3a654bd603ecc875126b5
SHA1

86b9b8214a1f25c1c059201b89b0e058ccc24046
SHA256

697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb
SHA512

35608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9
SSDEEP

768:svp3Gwda1gHhRsSiBCyiEs81sByH6oCgmj:Q3Gwda1gBVOCyiYyBy3E

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

4.tcp.eu.ngrok.io:12433

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

Sosipisyn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Sosipisyn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Sosipisyn.exe

Executes dropped EXE 1 IoCs

Processes:

Sosipisyn.exe

pid process

988 Sosipisyn.exe

pid	process
988	Sosipisyn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sosipisyn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sosipisyn.exe\" .."	Sosipisyn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sosipisyn.exe\" .."	Sosipisyn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Sosipisyn.exe

pid process

988 Sosipisyn.exe

pid	process
988	Sosipisyn.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Sosipisyn.exe

description	pid	process
Token: SeDebugPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe
Token: 33	988	Sosipisyn.exe
Token: SeIncBasePriorityPrivilege	988	Sosipisyn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0c7e71cb15f3a654bd603ecc875126b5.exe

description	pid	process	target process
PID 2016 wrote to memory of 988	2016	0c7e71cb15f3a654bd603ecc875126b5.exe	Sosipisyn.exe
PID 2016 wrote to memory of 988	2016	0c7e71cb15f3a654bd603ecc875126b5.exe	Sosipisyn.exe
PID 2016 wrote to memory of 988	2016	0c7e71cb15f3a654bd603ecc875126b5.exe	Sosipisyn.exe

C:\Users\Admin\AppData\Local\Temp\0c7e71cb15f3a654bd603ecc875126b5.exe
"C:\Users\Admin\AppData\Local\Temp\0c7e71cb15f3a654bd603ecc875126b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\Sosipisyn.exe
"C:\Users\Admin\AppData\Roaming\Sosipisyn.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sosipisyn.exe
Filesize
25KB

MD5
0c7e71cb15f3a654bd603ecc875126b5

SHA1
86b9b8214a1f25c1c059201b89b0e058ccc24046

SHA256
697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb

SHA512
35608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9

Download Submit
C:\Users\Admin\AppData\Roaming\Sosipisyn.exe
Filesize
25KB

MD5
0c7e71cb15f3a654bd603ecc875126b5

SHA1
86b9b8214a1f25c1c059201b89b0e058ccc24046

SHA256
697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb

SHA512
35608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9

Download Submit
memory/988-57-0x0000000000000000-mapping.dmp

Download
memory/988-60-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2016-54-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2016-55-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2016-56-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download