njrat | 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
Size

93KB
MD5

fcf64d897dc4dd3e3e49f23236a90f78
SHA1

3ed20b44d33fbd84c3daa329d8a711841100fcc6
SHA256

0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222
SHA512

000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37
SSDEEP

768:oY305yD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3vsGO:k5IOx6baIa9RZj00ljEwzGi1dDbD4gS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:15904

Mutex

0898e831b8671183b1f71cc16112d0b9

Attributes

reg_key
0898e831b8671183b1f71cc16112d0b9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1644	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0898e831b8671183b1f71cc16112d0b9Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0898e831b8671183b1f71cc16112d0b9Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Executes dropped EXE 4 IoCs

pid	Process
4012	server.exe
3428	StUpdate.exe
3224	StUpdate.exe
3948	StUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe
4012	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4012	server.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe
Token: 33	4012	server.exe
Token: SeIncBasePriorityPrivilege	4012	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4012	1076	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	90
PID 1076 wrote to memory of 4012	1076	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	90
PID 1076 wrote to memory of 4012	1076	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	90
PID 4012 wrote to memory of 1644	4012	server.exe	91
PID 4012 wrote to memory of 1644	4012	server.exe	91
PID 4012 wrote to memory of 1644	4012	server.exe	91
PID 4012 wrote to memory of 2148	4012	server.exe	100
PID 4012 wrote to memory of 2148	4012	server.exe	100
PID 4012 wrote to memory of 2148	4012	server.exe	100

C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
"C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    3⤵
    - Creates scheduled task(s)
    PID:2148

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
fcf64d897dc4dd3e3e49f23236a90f78

SHA1
3ed20b44d33fbd84c3daa329d8a711841100fcc6

SHA256
0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222

SHA512
000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
57KB

MD5
6a7d594cff122d9e0fcba8e8f67a92fa

SHA1
a06a7e1175691b387d2288441eb4579c33784edc

SHA256
af76cc11f6a84722005cb49a76e6d16598033d6a3f28bf5b434f71163d881837

SHA512
ff24b238c1cba7aa85c9a86b3f2bf275fb3e77de090f4aec81ff41e48720be20b2d4b94653e70f41d6e6ab8c46345eb97a83727cd2569f247023468911c1cb6a

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
311d687faffaed10f44ea27c024986b6

SHA1
eece910ea8cb7aed467e2e7700f7c223d3fbbc9e

SHA256
608547d80bf0e4b3d9cfffd324702b4aa38db2f0bfb3db4bd517b556fdf4de2b

SHA512
296d2cbbbf39917b174682a73e571a98130b2fe1c2dcb7c84adbd185a0b3a81384ad556e3a88cdeaa01fbd5cb486c58c1e1dff22f77cd3e9df7315b93355272b

Download Submit
memory/1076-13-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/1076-0-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/1076-2-0x0000000001730000-0x0000000001740000-memory.dmp

Filesize
64KB

Download
memory/1076-1-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3224-51-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/3224-54-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3224-50-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3428-43-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3428-47-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3948-60-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3948-57-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3948-56-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4012-15-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/4012-39-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4012-40-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/4012-16-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4012-14-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download