njrat | 7a384bb74dfe070f5954964c150d6b58c8439f90c7c2e681e662929f87bdc98a

Analysis

max time kernel
188s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2023, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

55KB
MD5

cb2210ef676090de1d4abdc6abd15daf
SHA1

e9e25de728ab27e0aa9a18caf40b25465a6ef8c1
SHA256

7a384bb74dfe070f5954964c150d6b58c8439f90c7c2e681e662929f87bdc98a
SHA512

b6e9feebf3615c7d7057bc4b8f8800ac7a46e7d76c47dd660ae45407aa6cde804f8be16ee4473ba155ced5424add033d3f5c8a710ad0dcf2651235753eb07ec4
SSDEEP

1536:GT8oDnb4DNA7SSjHDrwsNMDzXExI3pmxm:XoDnEmOWHDrwsNMDzXExI3pm

Score

10^/10

njrat victim evasion trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

oxy01.duckdns.org:6522

Mutex

d00ea8c06ab02e78618235c9503b74e8

Attributes

reg_key
d00ea8c06ab02e78618235c9503b74e8
splitter
Y262SUCZ4UJJ

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Payload.exe

Executes dropped EXE 5 IoCs

pid	Process
4412	Payload.exe
824	2539ff8c70584335879a12cdc502d637.exe
4384	468c027c97e44abc8280a627fe55579c.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
3628	Payload.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3964	sc.exe
2636	sc.exe
3940	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3276	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4640	reg.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4280	powershell.exe
4280	powershell.exe
824	2539ff8c70584335879a12cdc502d637.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe
3744	Payload.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	Payload.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: SeDebugPrivilege	824	2539ff8c70584335879a12cdc502d637.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: SeDebugPrivilege	1896	c2f22696f6f5425ca450fa4e0f37bc87.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe
Token: 33	3744	Payload.exe
Token: SeIncBasePriorityPrivilege	3744	Payload.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 1648	3744	Payload.exe	82
PID 3744 wrote to memory of 1648	3744	Payload.exe	82
PID 3744 wrote to memory of 1648	3744	Payload.exe	82
PID 3744 wrote to memory of 668	3744	Payload.exe	84
PID 3744 wrote to memory of 668	3744	Payload.exe	84
PID 3744 wrote to memory of 668	3744	Payload.exe	84
PID 668 wrote to memory of 4280	668	cmd.exe	86
PID 668 wrote to memory of 4280	668	cmd.exe	86
PID 668 wrote to memory of 4280	668	cmd.exe	86
PID 3744 wrote to memory of 1660	3744	Payload.exe	87
PID 3744 wrote to memory of 1660	3744	Payload.exe	87
PID 3744 wrote to memory of 1660	3744	Payload.exe	87
PID 1660 wrote to memory of 3964	1660	cmd.exe	89
PID 1660 wrote to memory of 3964	1660	cmd.exe	89
PID 1660 wrote to memory of 3964	1660	cmd.exe	89
PID 3744 wrote to memory of 228	3744	Payload.exe	90
PID 3744 wrote to memory of 228	3744	Payload.exe	90
PID 3744 wrote to memory of 228	3744	Payload.exe	90
PID 228 wrote to memory of 2636	228	cmd.exe	92
PID 228 wrote to memory of 2636	228	cmd.exe	92
PID 228 wrote to memory of 2636	228	cmd.exe	92
PID 3744 wrote to memory of 3228	3744	Payload.exe	93
PID 3744 wrote to memory of 3228	3744	Payload.exe	93
PID 3744 wrote to memory of 3228	3744	Payload.exe	93
PID 3228 wrote to memory of 3940	3228	cmd.exe	95
PID 3228 wrote to memory of 3940	3228	cmd.exe	95
PID 3228 wrote to memory of 3940	3228	cmd.exe	95
PID 3744 wrote to memory of 4500	3744	Payload.exe	96
PID 3744 wrote to memory of 4500	3744	Payload.exe	96
PID 3744 wrote to memory of 4500	3744	Payload.exe	96
PID 3744 wrote to memory of 3276	3744	Payload.exe	98
PID 3744 wrote to memory of 3276	3744	Payload.exe	98
PID 3744 wrote to memory of 3276	3744	Payload.exe	98
PID 3744 wrote to memory of 2248	3744	Payload.exe	100
PID 3744 wrote to memory of 2248	3744	Payload.exe	100
PID 3744 wrote to memory of 2248	3744	Payload.exe	100
PID 2248 wrote to memory of 4640	2248	cmd.exe	102
PID 2248 wrote to memory of 4640	2248	cmd.exe	102
PID 2248 wrote to memory of 4640	2248	cmd.exe	102
PID 3744 wrote to memory of 824	3744	Payload.exe	104
PID 3744 wrote to memory of 824	3744	Payload.exe	104
PID 3744 wrote to memory of 4384	3744	Payload.exe	105
PID 3744 wrote to memory of 4384	3744	Payload.exe	105
PID 3744 wrote to memory of 1896	3744	Payload.exe	107
PID 3744 wrote to memory of 1896	3744	Payload.exe	107

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Views/modifies file attributes
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc query windefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\sc.exe
    sc query windefend
    3⤵
    - Launches sc.exe
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc stop windefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\sc.exe
    sc stop windefend
    3⤵
    - Launches sc.exe
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete windefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\sc.exe
    sc delete windefend
    3⤵
    - Launches sc.exe
    PID:3940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn CleanSweepCheck /f
  2⤵
  PID:4500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Local\Temp\Payload.exe
  2⤵
  - Creates scheduled task(s)
  PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4640
- C:\Users\Admin\AppData\Local\Temp\2539ff8c70584335879a12cdc502d637.exe
  "C:\Users\Admin\AppData\Local\Temp\2539ff8c70584335879a12cdc502d637.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Users\Admin\AppData\Local\Temp\468c027c97e44abc8280a627fe55579c.exe
  "C:\Users\Admin\AppData\Local\Temp\468c027c97e44abc8280a627fe55579c.exe"
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\c2f22696f6f5425ca450fa4e0f37bc87.exe
  "C:\Users\Admin\AppData\Local\Temp\c2f22696f6f5425ca450fa4e0f37bc87.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896

C:\Users\Admin\AppData\Local\Temp\Payload.exe
C:\Users\Admin\AppData\Local\Temp\Payload.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\AppData\Local\Temp\Payload.exe
C:\Users\Admin\AppData\Local\Temp\Payload.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe"
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payload.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2539ff8c70584335879a12cdc502d637.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2539ff8c70584335879a12cdc502d637.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\468c027c97e44abc8280a627fe55579c.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\468c027c97e44abc8280a627fe55579c.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
55KB

MD5
cb2210ef676090de1d4abdc6abd15daf

SHA1
e9e25de728ab27e0aa9a18caf40b25465a6ef8c1

SHA256
7a384bb74dfe070f5954964c150d6b58c8439f90c7c2e681e662929f87bdc98a

SHA512
b6e9feebf3615c7d7057bc4b8f8800ac7a46e7d76c47dd660ae45407aa6cde804f8be16ee4473ba155ced5424add033d3f5c8a710ad0dcf2651235753eb07ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
55KB

MD5
cb2210ef676090de1d4abdc6abd15daf

SHA1
e9e25de728ab27e0aa9a18caf40b25465a6ef8c1

SHA256
7a384bb74dfe070f5954964c150d6b58c8439f90c7c2e681e662929f87bdc98a

SHA512
b6e9feebf3615c7d7057bc4b8f8800ac7a46e7d76c47dd660ae45407aa6cde804f8be16ee4473ba155ced5424add033d3f5c8a710ad0dcf2651235753eb07ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2f22696f6f5425ca450fa4e0f37bc87.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2f22696f6f5425ca450fa4e0f37bc87.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
memory/824-170-0x00007FFF6E230000-0x00007FFF6EC66000-memory.dmp

Filesize
10.2MB

Download
memory/1896-178-0x00007FFF6E0A0000-0x00007FFF6EAD6000-memory.dmp

Filesize
10.2MB

Download
memory/3628-181-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3628-182-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3744-132-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3744-133-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4280-156-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/4280-154-0x000000006E700000-0x000000006E74C000-memory.dmp

Filesize
304KB

Download
memory/4280-162-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/4280-158-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/4280-157-0x0000000007080000-0x000000000709A000-memory.dmp

Filesize
104KB

Download
memory/4280-155-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/4280-166-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/4280-167-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/4280-168-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/4280-145-0x0000000002350000-0x0000000002386000-memory.dmp

Filesize
216KB

Download
memory/4280-148-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/4280-149-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/4280-153-0x0000000006330000-0x0000000006362000-memory.dmp

Filesize
200KB

Download
memory/4280-152-0x00000000049E0000-0x00000000049FE000-memory.dmp

Filesize
120KB

Download
memory/4280-150-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/4280-151-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/4384-174-0x00007FFF6E230000-0x00007FFF6EC66000-memory.dmp

Filesize
10.2MB

Download
memory/4412-160-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4412-169-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4412-161-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download