njrat | 0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

General

Target

0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
Size

26KB
MD5

9ed07382a06bf2f0381b8f2bdc42a94d
SHA1

4beb3a4798b0ac1508c2a71f5d46dfb60099a722
SHA256

0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df
SHA512

c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41
SSDEEP

384:lL1M2XwBNOaLNOFs/Av2yeCP1BBvMo7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaVd:le220U0Wo7A/vMHTi9bD

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

ecutuning.ddns.net:11560

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe
Token: 33	1948	svchost.exe
Token: SeIncBasePriorityPrivilege	1948	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1948	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	27
PID 704 wrote to memory of 1948	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	27
PID 704 wrote to memory of 1948	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	27
PID 704 wrote to memory of 1948	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	27
PID 704 wrote to memory of 1492	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	28
PID 704 wrote to memory of 1492	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	28
PID 704 wrote to memory of 1492	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	28
PID 704 wrote to memory of 1492	704	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	28

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
"C:\Users\Admin\AppData\Local\Temp\0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Views/modifies file attributes
  PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
61c6cbea88d59ac79139e034e2c87261

SHA1
3dda450eb668912138617ef088a9b90b1a68c258

SHA256
f2bffe6e8573118c0d4296f68b75b8b175fa32cd296135ecc58b6eb3301671b4

SHA512
3482bd112b90527dad20312497535e7aedb07503df6c9c7626c24a4bd335a629d437b1ba1aa42c5281a571c36aa4d7155f1113ff2b2c93572e05d66383410c23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1022B

MD5
06b361ff5b08a5fdec5268e10d17bd86

SHA1
5ad6b80a501d7c09bd0bc499f4ce1d69eec8511e

SHA256
8a69fa1d5f78d40f005bce983be599a32cd2197d98fefa065e9b979d77416c07

SHA512
2d58254d59193c356494d1c84991fddb3919547a21addc1cc58ac65395cb38b7e124f61cd23413c0230882bb59f3dd85ee819da6e973145d2c1447c15ecf0134

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
memory/704-54-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/1948-67-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1948-73-0x0000000001E10000-0x0000000001E50000-memory.dmp

Filesize
256KB

Download
memory/1948-74-0x0000000001E10000-0x0000000001E50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads