Overview
overview
10Static
static
10Plugin/cam.dll
windows7-x64
1Plugin/cam.dll
windows10-2004-x64
1Plugin/ch.dll
windows7-x64
1Plugin/ch.dll
windows10-2004-x64
1Plugin/mic.dll
windows7-x64
1Plugin/mic.dll
windows10-2004-x64
1Plugin/plg.dll
windows7-x64
1Plugin/plg.dll
windows10-2004-x64
1Plugin/pw.dll
windows7-x64
1Plugin/pw.dll
windows10-2004-x64
1Plugin/sc2.dll
windows7-x64
1Plugin/sc2.dll
windows10-2004-x64
1Stub.xml
windows7-x64
1Stub.xml
windows10-2004-x64
1WinMM.Net.dll
windows7-x64
1WinMM.Net.dll
windows10-2004-x64
1njRAT v0.7d.exe
windows7-x64
10njRAT v0.7d.exe
windows10-2004-x64
10stub.ps1
windows7-x64
1stub.ps1
windows10-2004-x64
1Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 14:47
Behavioral task
behavioral1
Sample
Plugin/cam.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Plugin/cam.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Plugin/ch.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Plugin/ch.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
Plugin/mic.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
Plugin/mic.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Plugin/plg.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
Plugin/plg.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
Plugin/pw.dll
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
Plugin/pw.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
Plugin/sc2.dll
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
Plugin/sc2.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
Stub.xml
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
Stub.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
WinMM.Net.dll
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
WinMM.Net.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
njRAT v0.7d.exe
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
njRAT v0.7d.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
stub.ps1
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
stub.ps1
Resource
win10v2004-20220901-en
General
-
Target
njRAT v0.7d.exe
-
Size
55KB
-
MD5
cac62bc1ad7ba8129d87f1bc1178c814
-
SHA1
55f02c854540df27c4d57ace83c5c91c37cf36e9
-
SHA256
4bc7b459b9842ad4dfaadbb8c280119945050d4cc46780f3fdd3bc3a9c44d027
-
SHA512
972f793b8396d9064d52407701b5b731b21f7a4604bae1b37cbff1aa3fcd72064a71e20838b3f7bfaf35d6703de9ea69f909271be0ca5b0055f1ad89af8dade7
-
SSDEEP
768:sI3KDIyPKpLwby2f+ucnE4D/JJmjbaccM4lKSO9IQ:srDwfD/JJmvRUKSO9R
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Njratv0.7.exewindows.exepid process 928 Njratv0.7.exe 1556 windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\386657da1e60be4194c71697712e8f87.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\386657da1e60be4194c71697712e8f87.exe windows.exe -
Loads dropped DLL 2 IoCs
Processes:
njRAT v0.7d.exeNjratv0.7.exepid process 816 njRAT v0.7d.exe 928 Njratv0.7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\386657da1e60be4194c71697712e8f87 = "\"C:\\ProgramData\\windows.exe\" .." windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\386657da1e60be4194c71697712e8f87 = "\"C:\\ProgramData\\windows.exe\" .." windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
windows.exepid process 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe 1556 windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 1556 windows.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
njRAT v0.7d.exeNjratv0.7.exewindows.exedescription pid process target process PID 816 wrote to memory of 928 816 njRAT v0.7d.exe Njratv0.7.exe PID 816 wrote to memory of 928 816 njRAT v0.7d.exe Njratv0.7.exe PID 816 wrote to memory of 928 816 njRAT v0.7d.exe Njratv0.7.exe PID 816 wrote to memory of 928 816 njRAT v0.7d.exe Njratv0.7.exe PID 928 wrote to memory of 1556 928 Njratv0.7.exe windows.exe PID 928 wrote to memory of 1556 928 Njratv0.7.exe windows.exe PID 928 wrote to memory of 1556 928 Njratv0.7.exe windows.exe PID 928 wrote to memory of 1556 928 Njratv0.7.exe windows.exe PID 1556 wrote to memory of 844 1556 windows.exe netsh.exe PID 1556 wrote to memory of 844 1556 windows.exe netsh.exe PID 1556 wrote to memory of 844 1556 windows.exe netsh.exe PID 1556 wrote to memory of 844 1556 windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe"C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\Njratv0.7.exe"C:\Users\Admin\AppData\Local\Temp\Njratv0.7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\ProgramData\windows.exe"C:\ProgramData\windows.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\windows.exe" "windows.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windows.exeFilesize
28KB
MD552a8409c1094fc21866c83db6b3d25e8
SHA1fb4dd5992c5d04230e8c06a5a3b01c16f0ffb7e2
SHA256ed28ce0ebc2df6fb53fab91089db3c3b6fe1b386fca1ea8c242a54ee3aba336a
SHA512fb434b535ed8df2ec91ccbc89cdec60e3b09c39bf8d69ea3354dea2a5ffc536da830ca0f21fc2912467c3e6f76a875ba28bd04600cf4ca950bac9174c108a33c
-
C:\ProgramData\windows.exeFilesize
28KB
MD552a8409c1094fc21866c83db6b3d25e8
SHA1fb4dd5992c5d04230e8c06a5a3b01c16f0ffb7e2
SHA256ed28ce0ebc2df6fb53fab91089db3c3b6fe1b386fca1ea8c242a54ee3aba336a
SHA512fb434b535ed8df2ec91ccbc89cdec60e3b09c39bf8d69ea3354dea2a5ffc536da830ca0f21fc2912467c3e6f76a875ba28bd04600cf4ca950bac9174c108a33c
-
C:\Users\Admin\AppData\Local\Temp\Njratv0.7.exeFilesize
28KB
MD552a8409c1094fc21866c83db6b3d25e8
SHA1fb4dd5992c5d04230e8c06a5a3b01c16f0ffb7e2
SHA256ed28ce0ebc2df6fb53fab91089db3c3b6fe1b386fca1ea8c242a54ee3aba336a
SHA512fb434b535ed8df2ec91ccbc89cdec60e3b09c39bf8d69ea3354dea2a5ffc536da830ca0f21fc2912467c3e6f76a875ba28bd04600cf4ca950bac9174c108a33c
-
C:\Users\Admin\AppData\Local\Temp\Njratv0.7.exeFilesize
28KB
MD552a8409c1094fc21866c83db6b3d25e8
SHA1fb4dd5992c5d04230e8c06a5a3b01c16f0ffb7e2
SHA256ed28ce0ebc2df6fb53fab91089db3c3b6fe1b386fca1ea8c242a54ee3aba336a
SHA512fb434b535ed8df2ec91ccbc89cdec60e3b09c39bf8d69ea3354dea2a5ffc536da830ca0f21fc2912467c3e6f76a875ba28bd04600cf4ca950bac9174c108a33c
-
\ProgramData\windows.exeFilesize
28KB
MD552a8409c1094fc21866c83db6b3d25e8
SHA1fb4dd5992c5d04230e8c06a5a3b01c16f0ffb7e2
SHA256ed28ce0ebc2df6fb53fab91089db3c3b6fe1b386fca1ea8c242a54ee3aba336a
SHA512fb434b535ed8df2ec91ccbc89cdec60e3b09c39bf8d69ea3354dea2a5ffc536da830ca0f21fc2912467c3e6f76a875ba28bd04600cf4ca950bac9174c108a33c
-
\Users\Admin\AppData\Local\Temp\Njratv0.7.exeFilesize
28KB
MD552a8409c1094fc21866c83db6b3d25e8
SHA1fb4dd5992c5d04230e8c06a5a3b01c16f0ffb7e2
SHA256ed28ce0ebc2df6fb53fab91089db3c3b6fe1b386fca1ea8c242a54ee3aba336a
SHA512fb434b535ed8df2ec91ccbc89cdec60e3b09c39bf8d69ea3354dea2a5ffc536da830ca0f21fc2912467c3e6f76a875ba28bd04600cf4ca950bac9174c108a33c
-
memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/844-67-0x0000000000000000-mapping.dmp
-
memory/928-56-0x0000000000000000-mapping.dmp
-
memory/928-66-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/928-60-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/1556-62-0x0000000000000000-mapping.dmp
-
memory/1556-68-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/1556-70-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB