njrat | 87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

General

Target

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe
Size

49KB
MD5

c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA1

65726604b29227377aadef41da87a7306c852f0c
SHA256

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512

e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
SSDEEP

1536:a7dS1EAd8II28ca2zhmamGJCKDRMcyEQXGNEPRbw1Rl:igEA6II2Da2zPf/XyEQSiRby

Score

10^/10

njrat cheats persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Cheats

C2

127.0.0.1:1

Mutex

smss.exe

Attributes

reg_key
smss.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2748 cmd.exe

pid	process
2748	cmd.exe

Drops startup file 3 IoCs

Processes:

smss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	smss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.url	smss.exe

Executes dropped EXE 5 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exe

pid process

2844 smss.exe
644 smss.exe
1052 smss.exe
2024 smss.exe
2660 smss.exe

pid	process
2844	smss.exe
644	smss.exe
1052	smss.exe
2024	smss.exe
2660	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

smss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .."	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .."	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2692 schtasks.exe

pid	process
2692	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

smss.exe

description	pid	process
Token: SeDebugPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe
Token: SeIncBasePriorityPrivilege	2844	smss.exe
Token: 33	2844	smss.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.execmd.exesmss.exetaskeng.exe

description	pid	process	target process
PID 1900 wrote to memory of 2844	1900	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	smss.exe
PID 1900 wrote to memory of 2844	1900	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	smss.exe
PID 1900 wrote to memory of 2844	1900	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	smss.exe
PID 1900 wrote to memory of 2748	1900	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	cmd.exe
PID 1900 wrote to memory of 2748	1900	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	cmd.exe
PID 1900 wrote to memory of 2748	1900	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	cmd.exe
PID 2748 wrote to memory of 2608	2748	cmd.exe	choice.exe
PID 2748 wrote to memory of 2608	2748	cmd.exe	choice.exe
PID 2748 wrote to memory of 2608	2748	cmd.exe	choice.exe
PID 2844 wrote to memory of 2708	2844	smss.exe	schtasks.exe
PID 2844 wrote to memory of 2708	2844	smss.exe	schtasks.exe
PID 2844 wrote to memory of 2708	2844	smss.exe	schtasks.exe
PID 2844 wrote to memory of 2692	2844	smss.exe	schtasks.exe
PID 2844 wrote to memory of 2692	2844	smss.exe	schtasks.exe
PID 2844 wrote to memory of 2692	2844	smss.exe	schtasks.exe
PID 440 wrote to memory of 644	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 644	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 644	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 1052	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 1052	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 1052	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 2024	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 2024	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 2024	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 2660	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 2660	440	taskeng.exe	smss.exe
PID 440 wrote to memory of 2660	440	taskeng.exe	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe
"C:\Users\Admin\AppData\Local\Temp\87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2708

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\smss.exe
3⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
3⤵
PID:2608

C:\Windows\system32\taskeng.exe
taskeng.exe {48492229-0AC1-4F9B-B827-7EB2897649D6} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
2⤵
- Executes dropped EXE
PID:644

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
2⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
2⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
2⤵
- Executes dropped EXE
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
memory/644-23-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/644-25-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/644-24-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/644-26-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-29-0x00000000008C0000-0x0000000000940000-memory.dmp

Filesize
512KB

Download
memory/1052-31-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-30-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-28-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1900-13-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1900-3-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1900-4-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1900-0-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/1900-2-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1900-1-0x00000000003F0000-0x0000000000408000-memory.dmp

Filesize
96KB

Download
memory/2024-34-0x00000000007A0000-0x0000000000820000-memory.dmp

Filesize
512KB

Download
memory/2024-36-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-35-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-33-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-38-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-39-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/2660-40-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-41-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-18-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2844-10-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2844-14-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-19-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2844-11-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-20-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-21-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2844-12-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads