njrat | 847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 15:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488_JC.exe
Size

37KB
MD5

858dbea161dd4074ec9a9fefc2aed7d4
SHA1

6f39ba23961d661200c94c3e65bc8b856c2980ab
SHA256

847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488
SHA512

cc7f7fc544896e8b66cb3b5ae728dc6a9815d05634777e28a1ea9838bee24d23028d907ae4102fabf6a50826a74dba3fe99f41693650cd3a400913e15949c76f
SSDEEP

384:PlQZCiT9SLHHGhlbJcycPXvQJKUPDYwSo55rAF+rMRTyN/0L+EcoinblneHQM3e5:NIJrJ/cPXoKUU1oTrM+rMRa8NuxD8tQ

Score

10^/10

njrat 11221 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

11221

147.50.253.218:1234

Mutex

519b55464950ce55b68715cb59bcfbfb

Attributes

reg_key
519b55464950ce55b68715cb59bcfbfb
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2052	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\519b55464950ce55b68715cb59bcfbfb.exe	system64bit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\519b55464950ce55b68715cb59bcfbfb.exe	system64bit.exe

Executes dropped EXE 1 IoCs

pid	Process
1252	system64bit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\519b55464950ce55b68715cb59bcfbfb = "\"C:\\Users\\Admin\\AppData\\Roaming\\system64bit.exe\" .."	system64bit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\519b55464950ce55b68715cb59bcfbfb = "\"C:\\Users\\Admin\\AppData\\Roaming\\system64bit.exe\" .."	system64bit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe
1252	system64bit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	system64bit.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe
Token: 33	1252	system64bit.exe
Token: SeIncBasePriorityPrivilege	1252	system64bit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1252	2056	847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488_JC.exe	87
PID 2056 wrote to memory of 1252	2056	847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488_JC.exe	87
PID 2056 wrote to memory of 1252	2056	847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488_JC.exe	87
PID 1252 wrote to memory of 2052	1252	system64bit.exe	90
PID 1252 wrote to memory of 2052	1252	system64bit.exe	90
PID 1252 wrote to memory of 2052	1252	system64bit.exe	90

C:\Users\Admin\AppData\Local\Temp\847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488_JC.exe
"C:\Users\Admin\AppData\Local\Temp\847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\system64bit.exe
  "C:\Users\Admin\AppData\Roaming\system64bit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system64bit.exe" "system64bit.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system64bit.exe

Filesize
37KB

MD5
858dbea161dd4074ec9a9fefc2aed7d4

SHA1
6f39ba23961d661200c94c3e65bc8b856c2980ab

SHA256
847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488

SHA512
cc7f7fc544896e8b66cb3b5ae728dc6a9815d05634777e28a1ea9838bee24d23028d907ae4102fabf6a50826a74dba3fe99f41693650cd3a400913e15949c76f

Download Submit
C:\Users\Admin\AppData\Roaming\system64bit.exe

Filesize
37KB

MD5
858dbea161dd4074ec9a9fefc2aed7d4

SHA1
6f39ba23961d661200c94c3e65bc8b856c2980ab

SHA256
847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488

SHA512
cc7f7fc544896e8b66cb3b5ae728dc6a9815d05634777e28a1ea9838bee24d23028d907ae4102fabf6a50826a74dba3fe99f41693650cd3a400913e15949c76f

Download Submit
C:\Users\Admin\AppData\Roaming\system64bit.exe

Filesize
37KB

MD5
858dbea161dd4074ec9a9fefc2aed7d4

SHA1
6f39ba23961d661200c94c3e65bc8b856c2980ab

SHA256
847f9f041806776e957a60cda7cb58b332583e151eda78e431f4abd82bf7a488

SHA512
cc7f7fc544896e8b66cb3b5ae728dc6a9815d05634777e28a1ea9838bee24d23028d907ae4102fabf6a50826a74dba3fe99f41693650cd3a400913e15949c76f

Download Submit
memory/1252-148-0x0000000001930000-0x0000000001940000-memory.dmp

Filesize
64KB

Download
memory/1252-147-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/1252-149-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/1252-151-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/1252-152-0x0000000001930000-0x0000000001940000-memory.dmp

Filesize
64KB

Download
memory/2056-135-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/2056-134-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2056-146-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2056-145-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2056-133-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download