njrat | 0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

General

Target

0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
Size

26KB
MD5

9ed07382a06bf2f0381b8f2bdc42a94d
SHA1

4beb3a4798b0ac1508c2a71f5d46dfb60099a722
SHA256

0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df
SHA512

c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41
SSDEEP

384:lL1M2XwBNOaLNOFs/Av2yeCP1BBvMo7AQk93vmhm7UMKmIEecKdbXTzm9bVhcaVd:le220U0Wo7A/vMHTi9bD

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

ecutuning.ddns.net:11560

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe

Executes dropped EXE 1 IoCs

pid	Process
3996	svchost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe
Token: 33	3996	svchost.exe
Token: SeIncBasePriorityPrivilege	3996	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3996	1316	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	90
PID 1316 wrote to memory of 3996	1316	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	90
PID 1316 wrote to memory of 3996	1316	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	90
PID 1316 wrote to memory of 2320	1316	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	91
PID 1316 wrote to memory of 2320	1316	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	91
PID 1316 wrote to memory of 2320	1316	0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe
"C:\Users\Admin\AppData\Local\Temp\0C6648FD9A49C1A11E04F31D444CA6B5FA009459559F2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Views/modifies file attributes
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
0a937201d7ffe15d781a6d10f26be09b

SHA1
cf9579edafc5a2fd94e14c17fd5e86abec3b3e8a

SHA256
71cf009453a713a96bc5b28d9b5b19060932f9c305a0fbae2fa8c90989ea4f3e

SHA512
648def133ad44ee2eb36e9b6a747b2c02856b75b6c460a76b991740ac7feeb05462263314cccbfbafd905348cdb8577fb2b3754e6a9e9170d8803e5a045f76f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
79d475a162de503181d64ea1872f6beb

SHA1
3a47ea62bc19e7ff7e2037da08e2c45361fa44ad

SHA256
25c04cd144062d7fae2029734b2d07c3e69454e559e1577aae3707c895c65bbc

SHA512
122f2bce2e6bc7f1e1f89d4d01049fa0be5e11addea8c58418208a7eb6232bec77bac0258a8826aad90851e05ac2b0b692ac9800725e362a4f1935cc8167f52a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
26KB

MD5
9ed07382a06bf2f0381b8f2bdc42a94d

SHA1
4beb3a4798b0ac1508c2a71f5d46dfb60099a722

SHA256
0c6648fd9a49c1a11e04f31d444ca6b5fa009459559f2b88bc51f90f938b44df

SHA512
c45893ae081e2a800fd06e1f0e0ac09b0b4c064dbf888d4d051d5a0706e66cbb7f772c169e35fe75f14fdd3cee7107b0f0ae2efd5e7712d584e5d5e3fe959a41

Download Submit
memory/1316-133-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/1316-134-0x0000000004B50000-0x0000000004BEC000-memory.dmp

Filesize
624KB

Download
memory/1316-137-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/3996-152-0x0000000005F40000-0x0000000005FD2000-memory.dmp

Filesize
584KB

Download
memory/3996-153-0x0000000005F00000-0x0000000005F0A000-memory.dmp

Filesize
40KB

Download
memory/3996-154-0x0000000006850000-0x00000000068B6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads