njrat | c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183

General

Target

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe
Size

27KB
MD5

3eaff8ce09f497995f5be4dc1b3aa820
SHA1

f2b7c3546b6f55d2c797eeb2b8ed2a37e05e16e1
SHA256

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183
SHA512

41d223f11aa428a5e262783bf732ffabb967785c7f2a7299b259f1398bb64b4a1ab3478e7e11312268fd86ee824d0f7f33c2b1b1aa5a31754c168ca4d8a26b62
SSDEEP

384:tjLyib+vLGgkhRzeTwIiTSmLPeJ97MaAQk93vmhm7UMKmIEecKdbXTzm9bVhcax8:9lgKNzevO7aA/vMHTi9bDx

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

127.0.01:6662

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exePayload.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid	Process
2812	Payload.exe

Loads dropped DLL 1 IoCs

Processes:

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe

pid	Process
2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exec597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exePayload.exeattrib.exeattrib.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Payload.exe

description	pid	Process
Token: SeDebugPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe
Token: 33	2812	Payload.exe
Token: SeIncBasePriorityPrivilege	2812	Payload.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exePayload.exe

description	pid	Process	procid_target
PID 2224 wrote to memory of 2812	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	30
PID 2224 wrote to memory of 2812	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	30
PID 2224 wrote to memory of 2812	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	30
PID 2224 wrote to memory of 2812	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	30
PID 2224 wrote to memory of 2684	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	31
PID 2224 wrote to memory of 2684	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	31
PID 2224 wrote to memory of 2684	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	31
PID 2224 wrote to memory of 2684	2224	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe	31
PID 2812 wrote to memory of 2552	2812	Payload.exe	33
PID 2812 wrote to memory of 2552	2812	Payload.exe	33
PID 2812 wrote to memory of 2552	2812	Payload.exe	33
PID 2812 wrote to memory of 2552	2812	Payload.exe	33
PID 2812 wrote to memory of 2548	2812	Payload.exe	34
PID 2812 wrote to memory of 2548	2812	Payload.exe	34
PID 2812 wrote to memory of 2548	2812	Payload.exe	34
PID 2812 wrote to memory of 2548	2812	Payload.exe	34

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
2552	attrib.exe
2548	attrib.exe
2684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe
"C:\Users\Admin\AppData\Local\Temp\c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2552
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2548
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
698057967070868e6327650afb3c8216

SHA1
21a257644bafd93cf70179b2b66152289c5d1728

SHA256
7bc606bbc1534cfcd4c3e99569a4affa24a66fce94affa53004df5865eb3f8da

SHA512
7372bf5ad1a18d8cb33d937a9dc1853840892f1902050e0e2cd237363daf07c1465ebf4ef2262772c22607287c888a2c4902faf8417fa9aa22c28f4268656009

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1022B

MD5
2e3c4af004fa46541fefabe17a645306

SHA1
8dcbb824393b89fb3c43a8acba1a642abdc2b4cc

SHA256
43492f86986eecd3a38e4c2922adeb1e0bd727337111d0afd7be3b7b971828ae

SHA512
679b95100d84de38d84bc2e0c3885a79fe222873ecc537bebacb4fedaa35c1446f907a80816d99b572ba6dce3c7ab18fefacebde65044b10d7b1c5d1ad13fb34

Download Submit
\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
27KB

MD5
3eaff8ce09f497995f5be4dc1b3aa820

SHA1
f2b7c3546b6f55d2c797eeb2b8ed2a37e05e16e1

SHA256
c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183

SHA512
41d223f11aa428a5e262783bf732ffabb967785c7f2a7299b259f1398bb64b4a1ab3478e7e11312268fd86ee824d0f7f33c2b1b1aa5a31754c168ca4d8a26b62

Download Submit
memory/2224-0-0x0000000074D21000-0x0000000074D22000-memory.dmp

Filesize
4KB

Download
memory/2224-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-4-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-12-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-13-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-14-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-19-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads