njrat | 4a74ba5be8f473d9dc09e9981524cff15967ea57db52348ccaffa29ffc301ca0

General

Target

KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)/kms.exe
Size

3.9MB
MD5

0195356c4e2cdb1a5cb126393c4c5b91
SHA1

b1cf7eef95ecca52743f4f343c50fc695dc8d727
SHA256

f02c8a3de425dff5150def46766e249f7886ed507c2f78a0f8c01ca23ee8a33d
SHA512

bbcc8f89be3111eaf1db0b1db3b9ebbd9254fbce3ab0694eef003b380138640d520a2bc1a7d7e741db15de55a7e67ba1e9a545d31c509e742545e954a4adb8a3
SSDEEP

98304:qHmoZt7u59aVbR8tZgcj+/XRmVKyyAtk47ew6:qH3t6gk4cj+PROKDAtZaw6

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2512	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe	systm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe	systm.exe

Executes dropped EXE 4 IoCs

pid	Process
2608	net.exe
2728	KMSpico_setup.exe
2572	KMSpico_setup.tmp
2604	systm.exe

Loads dropped DLL 4 IoCs

pid	Process
2728	KMSpico_setup.exe
2572	KMSpico_setup.tmp
2572	KMSpico_setup.tmp
2608	net.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\5a712307fa1e2cbcc5e79fcd80d9f09d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systm.exe\" .."	systm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5a712307fa1e2cbcc5e79fcd80d9f09d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\systm.exe\" .."	systm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSpico_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSpico_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systm.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	KMSpico_setup.tmp

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe
Token: 33	2604	systm.exe
Token: SeIncBasePriorityPrivilege	2604	systm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2608	2992	kms.exe	30
PID 2992 wrote to memory of 2608	2992	kms.exe	30
PID 2992 wrote to memory of 2608	2992	kms.exe	30
PID 2992 wrote to memory of 2608	2992	kms.exe	30
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2992 wrote to memory of 2728	2992	kms.exe	31
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2728 wrote to memory of 2572	2728	KMSpico_setup.exe	32
PID 2608 wrote to memory of 2604	2608	net.exe	33
PID 2608 wrote to memory of 2604	2608	net.exe	33
PID 2608 wrote to memory of 2604	2608	net.exe	33
PID 2608 wrote to memory of 2604	2608	net.exe	33
PID 2604 wrote to memory of 2512	2604	systm.exe	34
PID 2604 wrote to memory of 2512	2604	systm.exe	34
PID 2604 wrote to memory of 2512	2604	systm.exe	34
PID 2604 wrote to memory of 2512	2604	systm.exe	34

C:\Users\Admin\AppData\Local\Temp\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe
"C:\Users\Admin\AppData\Local\Temp\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\net.exe
  C:\Users\Admin\AppData\Local\Temp/net.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\systm.exe
    "C:\Users\Admin\AppData\Local\Temp\systm.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\systm.exe" "systm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2512
- C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe
  C:\Users\Admin\AppData\Local\Temp/KMSpico_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\is-RDGMJ.tmp\KMSpico_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RDGMJ.tmp\KMSpico_setup.tmp" /SL5="$500DE,2701238,69120,C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe

Filesize
2.9MB

MD5
72c8d3f5fc03bb442ac2969f4ac2f179

SHA1
bcb8b8ddfde2bdb1acb45c56e069e579d67bf5a0

SHA256
c66ee4b9a02da2bd08981127dbb037f7b92b59530c2302e7a92f666a82db943b

SHA512
9ef3e613bdd144252ba5e833fd6ed82f67a608ca931c7622853cd67c149c5a523e78f33d3602096fbc32a245a159e901fe0b69cc7a19d22125bb660d754a51cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\net.exe

Filesize
140KB

MD5
415814301d84497dae61ca378c0be4b3

SHA1
d9fe25e717ccba8b6cd35558458f63d45bac94f3

SHA256
ae8f9e29b20b071c0d1e73819f103efc20574316dae46c664973e0570f8e54a9

SHA512
d8cd6568d4274a4fa02e7ee1bf0d2a87761c8fefe467332bcc8e0b33e95c95c78f65a0d5bf40b60f90456c3aec579c33260f48201e5a8749b5de43f487681268

Download Submit
\Users\Admin\AppData\Local\Temp\is-7EA9P.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RDGMJ.tmp\KMSpico_setup.tmp

Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
memory/2572-35-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-49-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2572-46-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2608-34-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-36-0x0000000074FB2000-0x0000000074FB4000-memory.dmp

Filesize
8KB

Download
memory/2608-23-0x0000000074FB1000-0x0000000074FB2000-memory.dmp

Filesize
4KB

Download
memory/2608-44-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2728-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2728-21-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads