njrat | cdce61baa490186d1ce2074803f0a8eccd235204ea2e2d0cf238ac3e776815d5

General

Target

4fe09d3b83d90cfd1706b7e5b80f74fd.exe
Size

1.3MB
MD5

4fe09d3b83d90cfd1706b7e5b80f74fd
SHA1

a3fca1c3ff02c5b2b62774df7214efe0df600495
SHA256

cdce61baa490186d1ce2074803f0a8eccd235204ea2e2d0cf238ac3e776815d5
SHA512

f1ea705f133fe5234c172907fcb74864f123bf8d3ec6ca292c9de0da5808d88e736a55b3dabe60c40f9aed8796ce10f58fe2bab39d7b9dc905c0737790a445b0
SSDEEP

24576:COAOIk1U/U9ESiWy9EFFTZdXTZdHXTZdXTZnvR1BgkuC9WxrMhrJrEbeyN4ReNw1:SNGU+iSTZdXTZdHXTZdXTZnvRBX06rW4

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

4.tcp.ngrok.io:14914

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1008 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

Filename.exeFilename.exeTempwinlogon.exe

pid process

2860 Filename.exe
2540 Filename.exe
2744 Tempwinlogon.exe
Loads dropped DLL 3 IoCs

Processes:

4fe09d3b83d90cfd1706b7e5b80f74fd.execscript.exe

pid process

2480 4fe09d3b83d90cfd1706b7e5b80f74fd.exe
1360 cscript.exe
1360 cscript.exe

pid	process
1008	netsh.exe

pid	process
2860	Filename.exe
2540	Filename.exe
2744	Tempwinlogon.exe

pid	process
2480	4fe09d3b83d90cfd1706b7e5b80f74fd.exe
1360	cscript.exe
1360	cscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4fe09d3b83d90cfd1706b7e5b80f74fd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Filename.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Filename.exe"	4fe09d3b83d90cfd1706b7e5b80f74fd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Filename.exe

description pid process target process

PID 2860 set thread context of 2540 2860 Filename.exe Filename.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2860 set thread context of 2540	2860	Filename.exe	Filename.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Tempwinlogon.exe

description	pid	process
Token: SeDebugPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe
Token: 33	2744	Tempwinlogon.exe
Token: SeIncBasePriorityPrivilege	2744	Tempwinlogon.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid process

2780 DllHost.exe
2780 DllHost.exe

pid	process
2780	DllHost.exe
2780	DllHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

4fe09d3b83d90cfd1706b7e5b80f74fd.exeFilename.exeFilename.execscript.exeTempwinlogon.exe

description	pid	process	target process
PID 2480 wrote to memory of 2860	2480	4fe09d3b83d90cfd1706b7e5b80f74fd.exe	Filename.exe
PID 2480 wrote to memory of 2860	2480	4fe09d3b83d90cfd1706b7e5b80f74fd.exe	Filename.exe
PID 2480 wrote to memory of 2860	2480	4fe09d3b83d90cfd1706b7e5b80f74fd.exe	Filename.exe
PID 2480 wrote to memory of 2860	2480	4fe09d3b83d90cfd1706b7e5b80f74fd.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2860 wrote to memory of 2540	2860	Filename.exe	Filename.exe
PID 2540 wrote to memory of 1360	2540	Filename.exe	cscript.exe
PID 2540 wrote to memory of 1360	2540	Filename.exe	cscript.exe
PID 2540 wrote to memory of 1360	2540	Filename.exe	cscript.exe
PID 2540 wrote to memory of 1360	2540	Filename.exe	cscript.exe
PID 1360 wrote to memory of 2744	1360	cscript.exe	Tempwinlogon.exe
PID 1360 wrote to memory of 2744	1360	cscript.exe	Tempwinlogon.exe
PID 1360 wrote to memory of 2744	1360	cscript.exe	Tempwinlogon.exe
PID 1360 wrote to memory of 2744	1360	cscript.exe	Tempwinlogon.exe
PID 2744 wrote to memory of 1008	2744	Tempwinlogon.exe	netsh.exe
PID 2744 wrote to memory of 1008	2744	Tempwinlogon.exe	netsh.exe
PID 2744 wrote to memory of 1008	2744	Tempwinlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4fe09d3b83d90cfd1706b7e5b80f74fd.exe
"C:\Users\Admin\AppData\Local\Temp\4fe09d3b83d90cfd1706b7e5b80f74fd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Roaming\Filename.exe
"C:\Users\Admin\AppData\Roaming\Filename.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Roaming\Filename.exe
"C:\Users\Admin\AppData\Roaming\Filename.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2780

C:\Windows\SysWOW64\cscript.exe
"cscript" C:\Users\Admin\AppData\Local\Temp\C4E5.tmp\aaa11.vbs
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Tempwinlogon.exe" "Tempwinlogon.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4E5.tmp\aaa11.vbs
Filesize
330KB

MD5
c8530e395fcf8f1ecccea8555eb7452e

SHA1
1d0fc009719c443c2db443e44cc3e4abc2d09d03

SHA256
fa25dcba663a4ad02b7f714152389ca9bca64147551bd1b197ee13458d6637a3

SHA512
faa3f7223a46ad68221c9c629f4989f59a60a329d5bc49c36ee4fe05b543938a708876095461c4846867f6fe6420cabacba07fbc76b4e3e6e18c311c9221ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\immm.ico
Filesize
176KB

MD5
67a7745591d9d9c90af69def2c81ad5e

SHA1
68757e280b4b52d16e7a68a67f115883f7c1b713

SHA256
1918ddb5d19767c97696962afb3192f6b0dd8e2dc77fcfc5b757cc020a5e8217

SHA512
e66f272f6aa03a471842ec0a4d14e5e2255e1a905dcecf450e81d02d88efd2e1bb057f0ab3812fcb40c0f8b0c7f58450053258e6d74571dc390e8bb59a71d3ab

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
49KB

MD5
8159f926da32cc679b52b820ba3b370f

SHA1
52cba406b745ad35026cf8acd5526a24739ff696

SHA256
37420b39cdb28a05caa265a2df858ee994c68816478dcab5fb22bef234907ba6

SHA512
05cc5bfa164b392e5e07817af31df2023bd53d2423bee1cf0671f18b4a4c991d30f80f5fbfa5a28b9c06c9df2f958493303a7be733ffe4d247f27fe25ac5917e

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
37KB

MD5
262f6c529b6b76044b4b98e7a8a9ddae

SHA1
99a04bef9bccd49a6f280eec8f9397058d059c4b

SHA256
713eb8600336cc25a7efdbb7ce73d379b5d5f8d33ed475f0fe0d0470dceb978e

SHA512
6ba569e7622ee3dde802d8b5cc061c45836485beb9b51b349de27294c4f74e900e785380a21eb94b56f004fbe25c15622b43eadd7b88774413a150399fbd225f

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
60KB

MD5
28da331bcc74c6bf3fef61a4b0082b5f

SHA1
648c5e8c4299ad0be01af2941dbc3ccf93534a08

SHA256
6188d251eae945f41be9d0976abb2175acb706933f7a18d3b9bb97f1b6f55124

SHA512
4783fb4204118dc8245d4c4bdc18c5970d477c0766ccb003f1dd124142125774203536dc960f0d5fd4d18b94e966a35ec20fd2a76a1371e8ed4a097aa0899a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Filename.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Filename.exe
Filesize
1.3MB

MD5
4fe09d3b83d90cfd1706b7e5b80f74fd

SHA1
a3fca1c3ff02c5b2b62774df7214efe0df600495

SHA256
cdce61baa490186d1ce2074803f0a8eccd235204ea2e2d0cf238ac3e776815d5

SHA512
f1ea705f133fe5234c172907fcb74864f123bf8d3ec6ca292c9de0da5808d88e736a55b3dabe60c40f9aed8796ce10f58fe2bab39d7b9dc905c0737790a445b0

Download Submit
memory/2480-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-3-0x0000000005500000-0x0000000005502000-memory.dmp

Filesize
8KB

Download
memory/2480-14-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-0-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2540-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-52-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-40-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-28-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-30-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2744-53-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-58-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/2744-57-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-55-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-54-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/2780-4-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2780-5-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2780-56-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2860-38-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-19-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2860-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-20-0x00000000044C0000-0x00000000044D8000-memory.dmp

Filesize
96KB

Download
memory/2860-17-0x00000000051B0000-0x00000000051B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads