njrat | c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183

General

Target

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
Size

27KB
MD5

3eaff8ce09f497995f5be4dc1b3aa820
SHA1

f2b7c3546b6f55d2c797eeb2b8ed2a37e05e16e1
SHA256

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183
SHA512

41d223f11aa428a5e262783bf732ffabb967785c7f2a7299b259f1398bb64b4a1ab3478e7e11312268fd86ee824d0f7f33c2b1b1aa5a31754c168ca4d8a26b62
SSDEEP

384:tjLyib+vLGgkhRzeTwIiTSmLPeJ97MaAQk93vmhm7UMKmIEecKdbXTzm9bVhcax8:9lgKNzevO7aA/vMHTi9bDx

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

127.0.01:6662

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
1012	Payload.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe
Token: 33	1012	Payload.exe
Token: SeIncBasePriorityPrivilege	1012	Payload.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1012	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	31
PID 1728 wrote to memory of 1012	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	31
PID 1728 wrote to memory of 1012	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	31
PID 1728 wrote to memory of 1012	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	31
PID 1728 wrote to memory of 2788	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	32
PID 1728 wrote to memory of 2788	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	32
PID 1728 wrote to memory of 2788	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	32
PID 1728 wrote to memory of 2788	1728	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	32
PID 1012 wrote to memory of 2732	1012	Payload.exe	34
PID 1012 wrote to memory of 2732	1012	Payload.exe	34
PID 1012 wrote to memory of 2732	1012	Payload.exe	34
PID 1012 wrote to memory of 2732	1012	Payload.exe	34
PID 1012 wrote to memory of 2184	1012	Payload.exe	35
PID 1012 wrote to memory of 2184	1012	Payload.exe	35
PID 1012 wrote to memory of 2184	1012	Payload.exe	35
PID 1012 wrote to memory of 2184	1012	Payload.exe	35

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe
2788	attrib.exe
2732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
"C:\Users\Admin\AppData\Local\Temp\c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2184
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
27KB

MD5
3eaff8ce09f497995f5be4dc1b3aa820

SHA1
f2b7c3546b6f55d2c797eeb2b8ed2a37e05e16e1

SHA256
c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183

SHA512
41d223f11aa428a5e262783bf732ffabb967785c7f2a7299b259f1398bb64b4a1ab3478e7e11312268fd86ee824d0f7f33c2b1b1aa5a31754c168ca4d8a26b62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
175dcf91ef523df6166fc091918c8841

SHA1
e07af27597a939af81039147f404680d28f33850

SHA256
78be10b7e3783e797bfff8f3f5dcaab17d0612c508dd9259b046f8dab5cb89de

SHA512
6de78d023e2fb500944d7cbe2995b91bf98c54f97e8b36cefae5458c3c6e7b68eea3e3e746777bfad62d59b069bd3143d07f3c8d90dedb0d6eccd90fb8c79378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1022B

MD5
2003bb0332ddfd3d91153db0bd88564e

SHA1
32e60a8379db536b5037a7bf909289960369582b

SHA256
b3fd92b0ef90b98cb7d9ed6435266f9d8e364054038ce8490bd0d005ef144517

SHA512
be63a85396b5c4deefebd891c5997785708a27bcc6a95b3221328be4711b9315c57966de43503bec3a58c674238ce57aa401f6afcdcb4d66e9b5723c465b28d7

Download Submit
memory/1012-13-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-18-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-20-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-0-0x00000000747A1000-0x00000000747A2000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-2-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-12-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-19-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads