njrat | ccaa9f9e4a61111b9814917dcb9703768743dffc8faec938bc480c7b091c33dc

General

Target

22c54abbde95e1f240a8a65343e6faa9.exe
Size

31KB
MD5

22c54abbde95e1f240a8a65343e6faa9
SHA1

8f6727a8ea3977e1f5fbea78c1390d6cc8a1b36a
SHA256

ccaa9f9e4a61111b9814917dcb9703768743dffc8faec938bc480c7b091c33dc
SHA512

86ab53c341cc671e6b8d57bcb12a1f4337e6d36f5586480ec4a90234d73780626020582ea72c9a381392d0f54d6fa9a0f03b0f3d83b32c97c227899e9f40e171
SSDEEP

768:8J8R5d5rLmzxBuJRSae8H5LPvyQQmIDUu0tiroj:DvKmpj3QVktj

Score

10^/10

njrat xworm mpg discovery evasion persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MPG

C2

49.228.131.165:2422

Mutex

fa6b40864b6c109adbc85023cd1f59d2

Attributes

reg_key
fa6b40864b6c109adbc85023cd1f59d2
splitter
Y262SUCZ4UJJ

Extracted

Family

xworm

Version

5.0

C2

103.253.73.222:400

Mutex

G9FXseUZVOZM4y9H

Attributes

Install_directory
%AppData%
install_file
dlIlhost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp4F73.tmp.exe	family_xworm
behavioral2/memory/1468-23-0x0000000000700000-0x0000000000710000-memory.dmp	family_xworm

Njrat family
njrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4700 netsh.exe

pid	process
4700	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22c54abbde95e1f240a8a65343e6faa9.exetmp4F73.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	22c54abbde95e1f240a8a65343e6faa9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	tmp4F73.tmp.exe

Executes dropped EXE 3 IoCs

Processes:

tmp4F73.tmp.exedlIlhost.exedlIlhost.exe

pid process

1468 tmp4F73.tmp.exe
1248 dlIlhost.exe
5012 dlIlhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1468	tmp4F73.tmp.exe
1248	dlIlhost.exe
5012	dlIlhost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

22c54abbde95e1f240a8a65343e6faa9.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22c54abbde95e1f240a8a65343e6faa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1316 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp4F73.tmp.exe

pid process

1468 tmp4F73.tmp.exe

pid	process
1316	schtasks.exe

pid	process
1468	tmp4F73.tmp.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

22c54abbde95e1f240a8a65343e6faa9.exetmp4F73.tmp.exedlIlhost.exedlIlhost.exe

description	pid	process
Token: SeDebugPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeDebugPrivilege	1468	tmp4F73.tmp.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeDebugPrivilege	1248	dlIlhost.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeDebugPrivilege	5012	dlIlhost.exe
Token: 33	832	22c54abbde95e1f240a8a65343e6faa9.exe
Token: SeIncBasePriorityPrivilege	832	22c54abbde95e1f240a8a65343e6faa9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp4F73.tmp.exe

pid process

1468 tmp4F73.tmp.exe

pid	process
1468	tmp4F73.tmp.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

22c54abbde95e1f240a8a65343e6faa9.exetmp4F73.tmp.exe

description	pid	process	target process
PID 832 wrote to memory of 4700	832	22c54abbde95e1f240a8a65343e6faa9.exe	netsh.exe
PID 832 wrote to memory of 4700	832	22c54abbde95e1f240a8a65343e6faa9.exe	netsh.exe
PID 832 wrote to memory of 4700	832	22c54abbde95e1f240a8a65343e6faa9.exe	netsh.exe
PID 832 wrote to memory of 1468	832	22c54abbde95e1f240a8a65343e6faa9.exe	tmp4F73.tmp.exe
PID 832 wrote to memory of 1468	832	22c54abbde95e1f240a8a65343e6faa9.exe	tmp4F73.tmp.exe
PID 1468 wrote to memory of 1316	1468	tmp4F73.tmp.exe	schtasks.exe
PID 1468 wrote to memory of 1316	1468	tmp4F73.tmp.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22c54abbde95e1f240a8a65343e6faa9.exe
"C:\Users\Admin\AppData\Local\Temp\22c54abbde95e1f240a8a65343e6faa9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\22c54abbde95e1f240a8a65343e6faa9.exe" "22c54abbde95e1f240a8a65343e6faa9.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\tmp4F73.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4F73.tmp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlIlhost" /tr "C:\Users\Admin\AppData\Roaming\dlIlhost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1316

C:\Users\Admin\AppData\Roaming\dlIlhost.exe
C:\Users\Admin\AppData\Roaming\dlIlhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Admin\AppData\Roaming\dlIlhost.exe
C:\Users\Admin\AppData\Roaming\dlIlhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dlIlhost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F73.tmp.exe

Filesize
37KB

MD5
84d0b308ab09eb9e65c2f4f6ea622736

SHA1
4a855c06bdcd6c893510ca13307c727ea0c60096

SHA256
acdcd7790360d048ddebcddba627c81547379505c97ebb8f6e9a989149e94796

SHA512
f4f8c324306ac561f8b02772390e9781e3c2112d25be7c580b6269780bb1ff070726060df2a62f455141a0a37bd9a4ab7017692aecdab11c5e288f42af727867

Download Submit
memory/832-8-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/832-9-0x00000000061D0000-0x00000000061E8000-memory.dmp

Filesize
96KB

Download
memory/832-4-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/832-5-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/832-6-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/832-7-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/832-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/832-3-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/832-10-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/832-2-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/832-1-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1468-23-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/1468-25-0x00007FF988120000-0x00007FF988BE1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-26-0x00007FF988123000-0x00007FF988125000-memory.dmp

Filesize
8KB

Download
memory/1468-27-0x00007FF988120000-0x00007FF988BE1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-22-0x00007FF988123000-0x00007FF988125000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads