njrat | 92c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae

General

Target

Payload2023.exe
Size

27KB
MD5

b85cd29095492a2688686bb14c50cb2d
SHA1

4cd161ec7545478f87a405e09b6691cc6c4aa86a
SHA256

92c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae
SHA512

8544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a
SSDEEP

384:TLIl2J1dJFKnO4YLJ5zeZsL4E7O4/ChZGPjdx4kM0AQk93vmhm7UMKmIEecKdbXs:3VJFPleeHU0A/vMHTi9bD

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

soon-lp.at.ply.gg:17209

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payload2023.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Payload2023.exe

Drops startup file 2 IoCs

Processes:

Payload.exePayload2023.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload2023.exe

Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

4420 Payload.exe

pid	process
4420	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payload2023.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	Payload2023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	4420	Payload.exe
Token: 33	4420	Payload.exe
Token: SeIncBasePriorityPrivilege	4420	Payload.exe
Token: 33	4420	Payload.exe
Token: SeIncBasePriorityPrivilege	4420	Payload.exe
Token: 33	4420	Payload.exe
Token: SeIncBasePriorityPrivilege	4420	Payload.exe
Token: 33	4420	Payload.exe
Token: SeIncBasePriorityPrivilege	4420	Payload.exe
Token: 33	4420	Payload.exe
Token: SeIncBasePriorityPrivilege	4420	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Payload2023.exe

description	pid	process	target process
PID 4740 wrote to memory of 4420	4740	Payload2023.exe	Payload.exe
PID 4740 wrote to memory of 4420	4740	Payload2023.exe	Payload.exe
PID 4740 wrote to memory of 4420	4740	Payload2023.exe	Payload.exe
PID 4740 wrote to memory of 1884	4740	Payload2023.exe	attrib.exe
PID 4740 wrote to memory of 1884	4740	Payload2023.exe	attrib.exe
PID 4740 wrote to memory of 1884	4740	Payload2023.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1884 attrib.exe

pid	process
1884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Payload2023.exe
"C:\Users\Admin\AppData\Local\Temp\Payload2023.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
2⤵
- Views/modifies file attributes
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
5046027d76193c47eda704613363b0eb

SHA1
28c68cb8c0f41137f06c21de64edb17dfe932f66

SHA256
82c84773cea056f85ac4c36f99174a9f27d19cc1ff8cd01bd64b5c062a7a7150

SHA512
d996df4461ee3039b1344881fb606fb6f257f5b60b7d0c5917564ffc4dc80c0747f022195a12beb442d8da77aed44ec3c4e2016b7d8a791c821b0350c1d7c918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
c2029e31e25647730597ac950c8d6ae5

SHA1
02a4822c6621db10757690b91b31e489f372d462

SHA256
00cb0e919469efaf29695f0acac304bffc05b269c957f9baefb8e5dbddafef92

SHA512
10a57bd1f36a1c2d3e39a374f13e4e3ad26df448f24f5d1248e8bab267b8cb797fc03862e67fcfbcae5916b775b73be127b0e23cd8baeca3eb5850a9e7cc3121

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
27KB

MD5
b85cd29095492a2688686bb14c50cb2d

SHA1
4cd161ec7545478f87a405e09b6691cc6c4aa86a

SHA256
92c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae

SHA512
8544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
27KB

MD5
b85cd29095492a2688686bb14c50cb2d

SHA1
4cd161ec7545478f87a405e09b6691cc6c4aa86a

SHA256
92c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae

SHA512
8544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
27KB

MD5
b85cd29095492a2688686bb14c50cb2d

SHA1
4cd161ec7545478f87a405e09b6691cc6c4aa86a

SHA256
92c159bc0ccc5e0dc0dbfcd89567bb52fd8183b573f3d0e90098f0f870da56ae

SHA512
8544b7ee6203a65414222b4d0df318ce40ef033d41ffec879b15995608af36c7e948cdcd6c03f66b1e17696745913e795e23c1d3e54b7c3a5ffa47d40e1d312a

Download Submit
memory/4420-151-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4420-152-0x0000000005D50000-0x0000000005DE2000-memory.dmp

Filesize
584KB

Download
memory/4420-153-0x0000000005D30000-0x0000000005D3A000-memory.dmp

Filesize
40KB

Download
memory/4420-154-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4420-155-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4740-133-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/4740-137-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4740-134-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads