Resubmissions
25-01-2022 09:50
220125-ltxepsdee4 10Analysis
-
max time kernel
211s -
max time network
210s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 09:50
Static task
static1
Behavioral task
behavioral1
Sample
njRAT.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
njRAT.exe
Resource
win10-en-20211208
General
-
Target
njRAT.exe
-
Size
959KB
-
MD5
0431311b5f024d6e66b90d59491f2563
-
SHA1
e9ff4da7e3f2199cbc16d37d8935cb1b0567ac2a
-
SHA256
fd624aa205517580e83fad7a4ce4d64863e95f62b34ac72647b1974a52822199
-
SHA512
d44b14e4b24e6e2d506ec32098488a16ebd5df57499ecd85e8878b8af2a3e1f9ed20d4125836417b702d0571f992aeac07af051dbf9268f48954556d17f51ee2
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
njRAT.exenjq8.exewindows.exepid process 1036 njRAT.exe 1892 njq8.exe 3224 windows.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
windows.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe windows.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .." windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .." windows.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
format.comdescription ioc process File opened (read-only) \??\A: format.com File opened (read-only) \??\B: format.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2176 ipconfig.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{56095CDF-5A9A-11EC-876A-CAC7FE7A08DC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
windows.exepid process 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe 3224 windows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
windows.exepid process 3224 windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 3224 windows.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4040 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4040 iexplore.exe 4040 iexplore.exe 1560 IEXPLORE.EXE 1560 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
njRAT.exenjq8.exewindows.execmd.exeiexplore.exedescription pid process target process PID 1296 wrote to memory of 1036 1296 njRAT.exe njRAT.exe PID 1296 wrote to memory of 1036 1296 njRAT.exe njRAT.exe PID 1296 wrote to memory of 1036 1296 njRAT.exe njRAT.exe PID 1296 wrote to memory of 1892 1296 njRAT.exe njq8.exe PID 1296 wrote to memory of 1892 1296 njRAT.exe njq8.exe PID 1296 wrote to memory of 1892 1296 njRAT.exe njq8.exe PID 1892 wrote to memory of 3224 1892 njq8.exe windows.exe PID 1892 wrote to memory of 3224 1892 njq8.exe windows.exe PID 1892 wrote to memory of 3224 1892 njq8.exe windows.exe PID 3224 wrote to memory of 2824 3224 windows.exe netsh.exe PID 3224 wrote to memory of 2824 3224 windows.exe netsh.exe PID 3224 wrote to memory of 2824 3224 windows.exe netsh.exe PID 1668 wrote to memory of 2176 1668 cmd.exe ipconfig.exe PID 1668 wrote to memory of 2176 1668 cmd.exe ipconfig.exe PID 1668 wrote to memory of 2196 1668 cmd.exe format.com PID 1668 wrote to memory of 2196 1668 cmd.exe format.com PID 1668 wrote to memory of 2072 1668 cmd.exe format.com PID 1668 wrote to memory of 2072 1668 cmd.exe format.com PID 4040 wrote to memory of 1560 4040 iexplore.exe IEXPLORE.EXE PID 4040 wrote to memory of 1560 4040 iexplore.exe IEXPLORE.EXE PID 4040 wrote to memory of 1560 4040 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\njRAT.exe"C:\Users\Admin\AppData\Local\Temp\njRAT.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\njRAT.exe"C:\njRAT.exe"2⤵
- Executes dropped EXE
-
C:\njq8.exe"C:\njq8.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
-
C:\Windows\system32\format.comformat c2⤵
- Enumerates connected drives
-
C:\Windows\system32\format.comformat c:2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\ConvertMerge.xhtml1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4040 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
edc4f10a5e164db64bf79eca207f2749
SHA1d08eb761a5446a4409a72f3af3fb8dd60eec7c92
SHA256ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4
SHA512e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
edc4f10a5e164db64bf79eca207f2749
SHA1d08eb761a5446a4409a72f3af3fb8dd60eec7c92
SHA256ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4
SHA512e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d
-
C:\njRAT.exeMD5
08f223ac15e2e92561ed310ae71415c1
SHA10a871a4b376bd8771188b96a9a1bb6fe1205160d
SHA25651f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec
SHA5129acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4
-
C:\njRAT.exeMD5
08f223ac15e2e92561ed310ae71415c1
SHA10a871a4b376bd8771188b96a9a1bb6fe1205160d
SHA25651f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec
SHA5129acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4
-
C:\njq8.exeMD5
edc4f10a5e164db64bf79eca207f2749
SHA1d08eb761a5446a4409a72f3af3fb8dd60eec7c92
SHA256ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4
SHA512e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d
-
C:\njq8.exeMD5
edc4f10a5e164db64bf79eca207f2749
SHA1d08eb761a5446a4409a72f3af3fb8dd60eec7c92
SHA256ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4
SHA512e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d
-
memory/1036-132-0x0000000003254000-0x0000000003256000-memory.dmpFilesize
8KB
-
memory/1036-131-0x0000000003251000-0x0000000003252000-memory.dmpFilesize
4KB
-
memory/1036-127-0x0000000003250000-0x0000000003251000-memory.dmpFilesize
4KB
-
memory/1296-119-0x00000000054D0000-0x00000000054DA000-memory.dmpFilesize
40KB
-
memory/1296-121-0x0000000005590000-0x0000000005A8E000-memory.dmpFilesize
5.0MB
-
memory/1296-120-0x0000000005790000-0x00000000057E6000-memory.dmpFilesize
344KB
-
memory/1296-115-0x0000000000A80000-0x0000000000B78000-memory.dmpFilesize
992KB
-
memory/1296-118-0x0000000005630000-0x00000000056C2000-memory.dmpFilesize
584KB
-
memory/1296-117-0x0000000005A90000-0x0000000005F8E000-memory.dmpFilesize
5.0MB
-
memory/1296-116-0x00000000054E0000-0x000000000557C000-memory.dmpFilesize
624KB
-
memory/1892-126-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/3224-130-0x0000000002890000-0x0000000002891000-memory.dmpFilesize
4KB
-
memory/3224-133-0x0000000002893000-0x0000000002895000-memory.dmpFilesize
8KB