njrat | 95552ba8792c194f1440f23ab9217b0b9d70105acea152e2b1244a5e22236092

General

Target

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
Size

31KB
MD5

a5ad2d1796744144d739569bb466b307
SHA1

42de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA512

45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9
SSDEEP

384:c8LBBi/W/7mgEp87wYK2GePqZhbM2AQk93vmhm7UMKmIEecKdbXTzm9bVhcaO6fd:5W/sqoHT2A/vMHTi9bD/Qz1n

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

172.20.6.206:1992

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 4 IoCs

Processes:

Payload.exed5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

2228 Payload.exe
Loads dropped DLL 1 IoCs

Processes:

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

pid process

2188 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

pid	process
2228	Payload.exe

pid	process
2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe
Token: 33	2228	Payload.exe
Token: SeIncBasePriorityPrivilege	2228	Payload.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

description	pid	process	target process
PID 2188 wrote to memory of 2228	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	Payload.exe
PID 2188 wrote to memory of 2228	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	Payload.exe
PID 2188 wrote to memory of 2228	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	Payload.exe
PID 2188 wrote to memory of 2228	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	Payload.exe
PID 2188 wrote to memory of 2608	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	attrib.exe
PID 2188 wrote to memory of 2608	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	attrib.exe
PID 2188 wrote to memory of 2608	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	attrib.exe
PID 2188 wrote to memory of 2608	2188	d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2608 attrib.exe

pid	process
2608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Views/modifies file attributes
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
f4e40421ef81fff202bc13d23b23251f

SHA1
9580f4ebc8b60c5d46d020d032dbf367713146fc

SHA256
e7991afc8baa72841f167dcc3993be11728dd836b8369d486fff15c4e078a1f4

SHA512
d1459703a069c253928289041a18e01c3c6f81d4a8de67bc63a5b8340d9445dfd78526b58437dd32d20bbe3004d28a3a9a80e47ec8a0b76e53dae3374c160e39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1022B

MD5
59d5232c2a00dcc940ea35411b43c6a2

SHA1
52bfad2c2962ccbf083ace11d9e39643ae9be0d2

SHA256
5b95a59834a5a5aa03c56e52f623784cd77051f44503e98b6d67022fe8afe3d5

SHA512
4d7747c9295a9e61fa94ba42b9461cc192db7afe2d9a2069bdde8b491846decd61ba1cd42260998605eeb8e6938f506707b17f7f588e043a637624759ceefc38

Download Submit
\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
31KB

MD5
a5ad2d1796744144d739569bb466b307

SHA1
42de0164c8cbd9b6c64100de720d2e0c49ebcb77

SHA256
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9

SHA512
45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

Download Submit
memory/2188-0-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-1-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/2188-2-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-12-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-14-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2228-13-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-20-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-21-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads