njrat | f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c

General

Target

f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe
Size

374KB
MD5

1de15800d08f248b647077f0fe52f5c1
SHA1

40616e40110b24faf0ff3af1285e628f3f8e595d
SHA256

f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c
SHA512

012995a859d376965363f49ef1cdaab5d88a9a57847786f2421183757942edf135f933f0a66ab0e2ce281c8287e3efa87c11f90118f0d745166614446132cc50

Score

10^/10

njrat lime link pdf suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

soportesltda30.duckdns.org:4433

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
jairpicc

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

windows.exewindows.exewindows.exe

pid process

948 windows.exe
1624 windows.exe
944 windows.exe
Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE WScript.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

1312 WScript.exe

pid	process
948	windows.exe
1624	windows.exe
944	windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE	WScript.exe

pid	process
1312	WScript.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\leer.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

560 schtasks.exe
1688 schtasks.exe
1500 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1528 AcroRd32.exe

pid	process
560	schtasks.exe
1688	schtasks.exe
1500	schtasks.exe

pid	process
1528	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

windows.exe

description	pid	process
Token: SeDebugPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe
Token: 33	948	windows.exe
Token: SeIncBasePriorityPrivilege	948	windows.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1528 AcroRd32.exe
1528 AcroRd32.exe
1528 AcroRd32.exe
1528 AcroRd32.exe

pid	process
1528	AcroRd32.exe
1528	AcroRd32.exe
1528	AcroRd32.exe
1528	AcroRd32.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exeWScript.exewindows.exetaskeng.exewindows.exewindows.exe

description	pid	process	target process
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1528	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	AcroRd32.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 2008 wrote to memory of 1312	2008	f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe	WScript.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 1312 wrote to memory of 948	1312	WScript.exe	windows.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 988	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 948 wrote to memory of 560	948	windows.exe	schtasks.exe
PID 1072 wrote to memory of 1624	1072	taskeng.exe	windows.exe
PID 1072 wrote to memory of 1624	1072	taskeng.exe	windows.exe
PID 1072 wrote to memory of 1624	1072	taskeng.exe	windows.exe
PID 1072 wrote to memory of 1624	1072	taskeng.exe	windows.exe
PID 1624 wrote to memory of 1844	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1844	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1844	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1844	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1688	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1688	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1688	1624	windows.exe	schtasks.exe
PID 1624 wrote to memory of 1688	1624	windows.exe	schtasks.exe
PID 1072 wrote to memory of 944	1072	taskeng.exe	windows.exe
PID 1072 wrote to memory of 944	1072	taskeng.exe	windows.exe
PID 1072 wrote to memory of 944	1072	taskeng.exe	windows.exe
PID 1072 wrote to memory of 944	1072	taskeng.exe	windows.exe
PID 944 wrote to memory of 328	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 328	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 328	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 328	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 1500	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 1500	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 1500	944	windows.exe	schtasks.exe
PID 944 wrote to memory of 1500	944	windows.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe
"C:\Users\Admin\AppData\Local\Temp\f992aa328b81c89418d075b8a53e79b4eae71f9a97d50577c25a67c9c430031c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\leer.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\win.vbs"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:988

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe" /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:560

C:\Windows\system32\taskeng.exe
taskeng.exe {D6E0B186-7C91-44FD-8787-33D9DAFA0959} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\windows.exe
C:\Users\Admin\AppData\Local\Temp\windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1688

C:\Users\Admin\AppData\Local\Temp\windows.exe
C:\Users\Admin\AppData\Local\Temp\windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:328

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\leer.pdf
MD5
1db6b198366804e52fa1fbc3599934bf

SHA1
171b5758a6483ce5ccddfc3d5dc5e9d40c7aa7b1

SHA256
60205229cab8dce06632c2b9d61b0628186e74ff6fc7db66112d149a576ec8dc

SHA512
35631ecaf2124ee272f78e6382dc4b8f939ff8fe4b11f874176e44d20526b524b3540d5bf7fd2e21c81e92a69f7f31257e5f1ea1cf9f7e79ba01fd2a7f77efed

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.vbs
MD5
466373d5f9d9e8daa9052c303071080f

SHA1
410d62f9075cae08e6b31c5e666f67892982a6ba

SHA256
f4056dbe3779c8e0700567ed46b782ddc7bfda547e7e63b43d2748ef60e12c12

SHA512
de1eca6b8f17980d44ed5c4de455a78865bc117cf51b02e9e1f026096d417e6593272aa64f45fb8f2657b646608b84df25842b2a5b9b45cda4b2e55bc3e0a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
memory/944-71-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/948-63-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1624-68-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2008-54-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads