njrat | 3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

4.6MB
MD5

7e8ba9fb61fa408145919b871075e1c9
SHA1

d166c427649f37085719c0591fb0b8da077dc0db
SHA256

3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
SHA512

3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
SSDEEP

49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

vesperiskindagoated.hopto.org:5552

Mutex

WSecurityKey

Attributes

reg_key
WSecurityKey
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sample.exepaylod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sample.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	paylod.exe

Drops startup file 5 IoCs

Processes:

paylod.exePayload.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe	attrib.exe

Executes dropped EXE 3 IoCs

Processes:

paylod.exeMercurial.exePayload.exe

pid process

5092 paylod.exe
1068 Mercurial.exe
4672 Payload.exe

pid	process
5092	paylod.exe
1068	Mercurial.exe
4672	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payload.exepaylod.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	paylod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4736 1068 WerFault.exe Mercurial.exe
432 1068 WerFault.exe Mercurial.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Mercurial.exe

pid process

1068 Mercurial.exe
1068 Mercurial.exe
1068 Mercurial.exe
1068 Mercurial.exe
1068 Mercurial.exe
1068 Mercurial.exe
1068 Mercurial.exe
1068 Mercurial.exe

pid	pid_target	process	target process
4736	1068	WerFault.exe	Mercurial.exe
432	1068	WerFault.exe	Mercurial.exe

pid	process
1068	Mercurial.exe
1068	Mercurial.exe
1068	Mercurial.exe
1068	Mercurial.exe
1068	Mercurial.exe
1068	Mercurial.exe
1068	Mercurial.exe
1068	Mercurial.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

Mercurial.exePayload.exe

description	pid	process
Token: SeDebugPrivilege	1068	Mercurial.exe
Token: SeDebugPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe
Token: 33	4672	Payload.exe
Token: SeIncBasePriorityPrivilege	4672	Payload.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

sample.exepaylod.exePayload.exe

description	pid	process	target process
PID 860 wrote to memory of 5092	860	sample.exe	paylod.exe
PID 860 wrote to memory of 5092	860	sample.exe	paylod.exe
PID 860 wrote to memory of 5092	860	sample.exe	paylod.exe
PID 860 wrote to memory of 1068	860	sample.exe	Mercurial.exe
PID 860 wrote to memory of 1068	860	sample.exe	Mercurial.exe
PID 860 wrote to memory of 1068	860	sample.exe	Mercurial.exe
PID 5092 wrote to memory of 4672	5092	paylod.exe	Payload.exe
PID 5092 wrote to memory of 4672	5092	paylod.exe	Payload.exe
PID 5092 wrote to memory of 4672	5092	paylod.exe	Payload.exe
PID 5092 wrote to memory of 4576	5092	paylod.exe	attrib.exe
PID 5092 wrote to memory of 4576	5092	paylod.exe	attrib.exe
PID 5092 wrote to memory of 4576	5092	paylod.exe	attrib.exe
PID 4672 wrote to memory of 3368	4672	Payload.exe	attrib.exe
PID 4672 wrote to memory of 3368	4672	Payload.exe	attrib.exe
PID 4672 wrote to memory of 3368	4672	Payload.exe	attrib.exe
PID 4672 wrote to memory of 4656	4672	Payload.exe	attrib.exe
PID 4672 wrote to memory of 4656	4672	Payload.exe	attrib.exe
PID 4672 wrote to memory of 4656	4672	Payload.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4576 attrib.exe
3368 attrib.exe
4656 attrib.exe

pid	process
4576	attrib.exe
3368	attrib.exe
4656	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe"
4⤵
- Drops startup file
- Views/modifies file attributes
PID:3368

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.exe"
4⤵
- Views/modifies file attributes
PID:4656

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:4576

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1460
3⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1032
3⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1068 -ip 1068
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1068 -ip 1068
1⤵
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk
Filesize
1KB

MD5
8809ae2412051fe62a4fb78b7e9ebd12

SHA1
b902da0b84a272bdff0ace433956d67387d35c6f

SHA256
7942be59109e850ef509c00cb9085d471c94c7c89db678874af1e403b9e1315b

SHA512
25c1497cb412a3d57c1a70c7669469e28a4c87cf26f66c44da9bcd9b32c62b16dddc01fa8bc4b2f17c599d86c027f896cfd19707f4e223dc2f13d035cf3abb53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.lnk
Filesize
1KB

MD5
13304b0834aa1b075ee085038425465e

SHA1
37801e4502478e8305ced7e303d6dfdaa25168ce

SHA256
d39c5cc2740ee7db8736545a800cccfc57787c80b75b3e916eb6cb0efad3b4b7

SHA512
d51adf11a8222989aec62d78aca1ba5bd08fc8ebcd2a1ef44af47220e0ebceee5289acbb1abf4f4cafa27048b1a9ed32d5906ec0bd7775fac4e29c39cc299f07

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
memory/860-133-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/1068-159-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/1068-185-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-163-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-164-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-165-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-166-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-161-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/1068-160-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-158-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/1068-201-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-180-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-200-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-182-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-183-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-184-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-162-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-186-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-156-0x0000000000B70000-0x0000000000EAA000-memory.dmp

Filesize
3.2MB

Download
memory/1068-189-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-190-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1068-199-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-192-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-193-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-194-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-195-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-196-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-197-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/1068-198-0x000000000BFC0000-0x000000000C0C0000-memory.dmp

Filesize
1024KB

Download
memory/4672-191-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/4672-181-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/5092-157-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download