njrat | dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a

General

Target

dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe
Size

1009KB
MD5

6d1efd6663da1d5db55ae3a05eeaa0e2
SHA1

98f3e1641290ab80aa0f9981b494ecd837a9bc8f
SHA256

dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a
SHA512

2a7b2010dd7c3e4cea5dfa112c477c255f9bb9883a3fba688c35f3399470be94e9b0808c1383e39fe31557cdd909d3758e74bdb8000d01efb5d75c87f474af87

Score

10^/10

njrat limebot3 trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Limebot3

C2

microsoftdnsbug.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AppVCatalog.exeAppVCatalog.exe

pid process

1616 AppVCatalog.exe
896 AppVCatalog.exe

pid	process
1616	AppVCatalog.exe
896	AppVCatalog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 1972 set thread context of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1616 set thread context of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 896 set thread context of 1596	896	AppVCatalog.exe	RegAsm.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

920 schtasks.exe
524 schtasks.exe
1744 schtasks.exe

pid	process
920	schtasks.exe
524	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exeAppVCatalog.exeAppVCatalog.exe

pid	process
1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe
1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe
1616	AppVCatalog.exe
1616	AppVCatalog.exe
896	AppVCatalog.exe
896	AppVCatalog.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe
Token: 33	1940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1940	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exetaskeng.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1940	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	RegAsm.exe
PID 1972 wrote to memory of 1744	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	schtasks.exe
PID 1972 wrote to memory of 1744	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	schtasks.exe
PID 1972 wrote to memory of 1744	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	schtasks.exe
PID 1972 wrote to memory of 1744	1972	dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe	schtasks.exe
PID 928 wrote to memory of 1616	928	taskeng.exe	AppVCatalog.exe
PID 928 wrote to memory of 1616	928	taskeng.exe	AppVCatalog.exe
PID 928 wrote to memory of 1616	928	taskeng.exe	AppVCatalog.exe
PID 928 wrote to memory of 1616	928	taskeng.exe	AppVCatalog.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 1640	1616	AppVCatalog.exe	RegAsm.exe
PID 1616 wrote to memory of 920	1616	AppVCatalog.exe	schtasks.exe
PID 1616 wrote to memory of 920	1616	AppVCatalog.exe	schtasks.exe
PID 1616 wrote to memory of 920	1616	AppVCatalog.exe	schtasks.exe
PID 1616 wrote to memory of 920	1616	AppVCatalog.exe	schtasks.exe
PID 928 wrote to memory of 896	928	taskeng.exe	AppVCatalog.exe
PID 928 wrote to memory of 896	928	taskeng.exe	AppVCatalog.exe
PID 928 wrote to memory of 896	928	taskeng.exe	AppVCatalog.exe
PID 928 wrote to memory of 896	928	taskeng.exe	AppVCatalog.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 1596	896	AppVCatalog.exe	RegAsm.exe
PID 896 wrote to memory of 524	896	AppVCatalog.exe	schtasks.exe
PID 896 wrote to memory of 524	896	AppVCatalog.exe	schtasks.exe
PID 896 wrote to memory of 524	896	AppVCatalog.exe	schtasks.exe
PID 896 wrote to memory of 524	896	AppVCatalog.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe
"C:\Users\Admin\AppData\Local\Temp\dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {2FF5F927-7EC4-4793-8957-A9F5FBDDD993} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:920

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
47f5537f7e2057e46e1f204521a0d4ac

SHA1
e5c858bef4a7287a93a94ced0332045fcf32e80b

SHA256
a7df4c4790becc1455a121316db443621e423e16eeca315d1eb0ffb29f5e6333

SHA512
0fc070f30414fcc432117db192bbbdaa9739993a84f955baacdf9d76fccea0f6d265dda177cff7e5b282f02a8f9ffa08625560e6c65f977a1e2e29536b5c3a41

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
47f5537f7e2057e46e1f204521a0d4ac

SHA1
e5c858bef4a7287a93a94ced0332045fcf32e80b

SHA256
a7df4c4790becc1455a121316db443621e423e16eeca315d1eb0ffb29f5e6333

SHA512
0fc070f30414fcc432117db192bbbdaa9739993a84f955baacdf9d76fccea0f6d265dda177cff7e5b282f02a8f9ffa08625560e6c65f977a1e2e29536b5c3a41

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
47f5537f7e2057e46e1f204521a0d4ac

SHA1
e5c858bef4a7287a93a94ced0332045fcf32e80b

SHA256
a7df4c4790becc1455a121316db443621e423e16eeca315d1eb0ffb29f5e6333

SHA512
0fc070f30414fcc432117db192bbbdaa9739993a84f955baacdf9d76fccea0f6d265dda177cff7e5b282f02a8f9ffa08625560e6c65f977a1e2e29536b5c3a41

Download Submit
memory/524-101-0x0000000000000000-mapping.dmp

Download
memory/896-88-0x0000000000000000-mapping.dmp

Download
memory/920-87-0x0000000000000000-mapping.dmp

Download
memory/1596-100-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1596-96-0x00000000000A4E6E-mapping.dmp

Download
memory/1616-74-0x0000000000000000-mapping.dmp

Download
memory/1640-86-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1640-82-0x0000000000414E6E-mapping.dmp

Download
memory/1640-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1640-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1640-83-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1744-72-0x0000000000000000-mapping.dmp

Download
memory/1940-71-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1940-68-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1940-67-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1940-66-0x00000000000A4E6E-mapping.dmp

Download
memory/1940-61-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1972-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1972-70-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads