njrat | 29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836

General

Target

29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836.vbs
Size

4.4MB
MD5

afaefcfba4a6f5052383156ce7f88efd
SHA1

ac99a4ba88364136174b70b226881297144de96e
SHA256

29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836
SHA512

4fdb773189b885e11ce669b711c04777d8b29ab4a409e2a470fb13b37404eba02b8a9d55aada3a6c64df421d0ec0d7288acc4727055274945d17483cd5710e73
SSDEEP

24576:lemjem3emOemsemyemDemTemHemnemmem2em+emTemXemBem6emFemWemRemiemH:i

Score

10^/10

njrat hacked discovery execution trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://rentry.co/m7ebw9yf/raw

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

ole.cloudns.ph:5439

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
27	5104	WScript.exe
29	5104	WScript.exe
33	4464	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
5104	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	RegSvcs.exe

Executes dropped EXE 2 IoCs

pid	Process
3776	RegSvcs.exe
1852	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 3776	4464	powershell.exe	99
PID 4464 set thread context of 1852	4464	powershell.exe	100

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4464	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe
Token: 33	3776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3776	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3992	5104	WScript.exe	95
PID 5104 wrote to memory of 3992	5104	WScript.exe	95
PID 3992 wrote to memory of 4464	3992	cmd.exe	98
PID 3992 wrote to memory of 4464	3992	cmd.exe	98
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 3776	4464	powershell.exe	99
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100
PID 4464 wrote to memory of 1852	4464	powershell.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsUpdate\OOWZL.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsUpdate\ZARTD.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bennfu55.b34.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EDVRD.vbs

Filesize
274B

MD5
195a41212cca0c31b543169d52fe6074

SHA1
f55095c2b3d168f0e838532f1f27c59e054881d7

SHA256
ebc6fee593edbc90c45ea6abb4eec4aafa7691bd6b97ccf3526ce6d346d32beb

SHA512
6d4878fcf9c018cb6a1187b283668bd0fab1aaf1546cc17bcdf3fa1e9f79da0f2ab0d8ca70e683f6c8a502565e7536c3ae469c17379d7fa255c8172c30233fe3

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\OOWZL.cmd

Filesize
75B

MD5
c561282ed942d23889d0a4ed1222b87d

SHA1
3a201c4bbb160ee5c7089da864e018a1cdd2d02e

SHA256
c9b0ba912bfafe244f38d31f13070116bb105123083ff1f05ed6cad9eaa626fe

SHA512
bfc021f5d48d55aba88416340e996d7127993a349d23806fb64e715ad4840886e8d3af5a74745453f2d00e3b6fce22d8a34c312e2b3202bf6602be33b20067b3

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\PLWAI.tmp

Filesize
45KB

MD5
b4658f83405265437695355e9e7dc825

SHA1
04613f0cf6df9382920811a6cd5495234f2b9e74

SHA256
d097813d1fcfaf270019b13b4b20afa3f15870c7b4440b00501d6c193f1c8f2f

SHA512
5486f5764833bcc2b8b2321da97f4736b6fdf622be7bf17848f7ff42284deccb5d0dd8088f92afe646de0b50b456b871f68fedcdef944010b14b4796dfd136a7

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\ZARTD.ps1

Filesize
44KB

MD5
da1cd4da7e21802269e159912b864ee4

SHA1
d46e5ff9db8a7ac43555d2fd5607230209578c48

SHA256
2a1a67c8cf9037b6da4ebd9cfe8c1c076f7a6211dd4eba150f1df36a0450a39b

SHA512
788d55920f2cd21650baf4d4a54422e26b3edf374a1a4a438fd217930f4d66e3e8985e263a41586f6fa3fd2f032f9fa4e2fd41ba3067911781217da18d43bd44

Download Submit
memory/1852-58-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/3776-66-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

Filesize
40KB

Download
memory/3776-65-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/3776-63-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/3776-49-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4464-41-0x00007FFEBFCE0000-0x00007FFEC07A1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-40-0x00007FFEBFCE0000-0x00007FFEC07A1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-57-0x00007FFEBFCE0000-0x00007FFEC07A1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-30-0x000001F46D790000-0x000001F46D7B2000-memory.dmp

Filesize
136KB

Download
memory/4464-29-0x00007FFEBFCE3000-0x00007FFEBFCE5000-memory.dmp

Filesize
8KB

Download
memory/4464-47-0x000001F46DF70000-0x000001F46DF80000-memory.dmp

Filesize
64KB

Download
memory/4464-44-0x000001F46E520000-0x000001F46ECC6000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads