njrat | 2ca10a991b5151eb236b4faed3a08e7f44153286b53dea588f888dc0174af8a3

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-03-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5846a4f316160ded59379aaecc48de08.exe
Size

103KB
MD5

5846a4f316160ded59379aaecc48de08
SHA1

b5af1332a27e9e7a70b85dded3ee294a7b6b2446
SHA256

2ca10a991b5151eb236b4faed3a08e7f44153286b53dea588f888dc0174af8a3
SHA512

ff43812896e14b9efecd00a642fd374e4d60fd4f9389a620b9c85138f757bf950677cbba102513a2cfc01f5e1990f04e24cb1b6ef7fe055829cae8fadca3d93e
SSDEEP

768:NAY1lN7oYUGF6DrM+rMRa8NunC6tRJghs:NAY1vcdGMc+gRJNV4J

Score

10^/10

njrat geforce experience evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Geforce Experience

2.tcp.eu.ngrok.io:17425

Mutex

00c8a057ad6a6d7c6c7858e5303b7a44

Attributes

reg_key
00c8a057ad6a6d7c6c7858e5303b7a44
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
756	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00c8a057ad6a6d7c6c7858e5303b7a44.exe	Geforce Experience.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00c8a057ad6a6d7c6c7858e5303b7a44.exe	Geforce Experience.exe

Executes dropped EXE 1 IoCs

pid	Process
896	Geforce Experience.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	5846a4f316160ded59379aaecc48de08.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\00c8a057ad6a6d7c6c7858e5303b7a44 = "\"C:\\ProgramData\\Geforce Experience.exe\" .."	Geforce Experience.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\00c8a057ad6a6d7c6c7858e5303b7a44 = "\"C:\\ProgramData\\Geforce Experience.exe\" .."	Geforce Experience.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe
896	Geforce Experience.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
896	Geforce Experience.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe
Token: 33	896	Geforce Experience.exe
Token: SeIncBasePriorityPrivilege	896	Geforce Experience.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 896	1972	5846a4f316160ded59379aaecc48de08.exe	27
PID 1972 wrote to memory of 896	1972	5846a4f316160ded59379aaecc48de08.exe	27
PID 1972 wrote to memory of 896	1972	5846a4f316160ded59379aaecc48de08.exe	27
PID 1972 wrote to memory of 896	1972	5846a4f316160ded59379aaecc48de08.exe	27
PID 896 wrote to memory of 756	896	Geforce Experience.exe	28
PID 896 wrote to memory of 756	896	Geforce Experience.exe	28
PID 896 wrote to memory of 756	896	Geforce Experience.exe	28
PID 896 wrote to memory of 756	896	Geforce Experience.exe	28

C:\Users\Admin\AppData\Local\Temp\5846a4f316160ded59379aaecc48de08.exe
"C:\Users\Admin\AppData\Local\Temp\5846a4f316160ded59379aaecc48de08.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\ProgramData\Geforce Experience.exe
  "C:\ProgramData\Geforce Experience.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\Geforce Experience.exe" "Geforce Experience.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Geforce Experience.exe

Filesize
103KB

MD5
5846a4f316160ded59379aaecc48de08

SHA1
b5af1332a27e9e7a70b85dded3ee294a7b6b2446

SHA256
2ca10a991b5151eb236b4faed3a08e7f44153286b53dea588f888dc0174af8a3

SHA512
ff43812896e14b9efecd00a642fd374e4d60fd4f9389a620b9c85138f757bf950677cbba102513a2cfc01f5e1990f04e24cb1b6ef7fe055829cae8fadca3d93e

Download Submit
C:\ProgramData\Geforce Experience.exe

Filesize
103KB

MD5
5846a4f316160ded59379aaecc48de08

SHA1
b5af1332a27e9e7a70b85dded3ee294a7b6b2446

SHA256
2ca10a991b5151eb236b4faed3a08e7f44153286b53dea588f888dc0174af8a3

SHA512
ff43812896e14b9efecd00a642fd374e4d60fd4f9389a620b9c85138f757bf950677cbba102513a2cfc01f5e1990f04e24cb1b6ef7fe055829cae8fadca3d93e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00c8a057ad6a6d7c6c7858e5303b7a44.exe

Filesize
103KB

MD5
5846a4f316160ded59379aaecc48de08

SHA1
b5af1332a27e9e7a70b85dded3ee294a7b6b2446

SHA256
2ca10a991b5151eb236b4faed3a08e7f44153286b53dea588f888dc0174af8a3

SHA512
ff43812896e14b9efecd00a642fd374e4d60fd4f9389a620b9c85138f757bf950677cbba102513a2cfc01f5e1990f04e24cb1b6ef7fe055829cae8fadca3d93e

Download Submit
\ProgramData\Geforce Experience.exe

Filesize
103KB

MD5
5846a4f316160ded59379aaecc48de08

SHA1
b5af1332a27e9e7a70b85dded3ee294a7b6b2446

SHA256
2ca10a991b5151eb236b4faed3a08e7f44153286b53dea588f888dc0174af8a3

SHA512
ff43812896e14b9efecd00a642fd374e4d60fd4f9389a620b9c85138f757bf950677cbba102513a2cfc01f5e1990f04e24cb1b6ef7fe055829cae8fadca3d93e

Download Submit
memory/896-62-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/896-64-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/1972-54-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download