njrat | 87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

Analysis

max time kernel
300s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2023 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe
Size

49KB
MD5

c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA1

65726604b29227377aadef41da87a7306c852f0c
SHA256

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512

e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
SSDEEP

1536:a7dS1EAd8II28ca2zhmamGJCKDRMcyEQXGNEPRbw1Rl:igEA6II2Da2zPf/XyEQSiRby

Score

10^/10

njrat cheats persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Cheats

127.0.0.1:1

Mutex

smss.exe

Attributes

reg_key
smss.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe

Drops startup file 3 IoCs

Processes:

smss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	smss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.url	smss.exe

Executes dropped EXE 5 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exe

pid process

3652 smss.exe
2828 smss.exe
4316 smss.exe
2220 smss.exe
1048 smss.exe

pid	process
3652	smss.exe
2828	smss.exe
4316	smss.exe
2220	smss.exe
1048	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

smss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .."	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .."	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4892 schtasks.exe

pid	process
4892	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

smss.exe

description	pid	process
Token: SeDebugPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe
Token: SeIncBasePriorityPrivilege	3652	smss.exe
Token: 33	3652	smss.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.execmd.exesmss.exe

description	pid	process	target process
PID 412 wrote to memory of 3652	412	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	smss.exe
PID 412 wrote to memory of 3652	412	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	smss.exe
PID 412 wrote to memory of 3240	412	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	cmd.exe
PID 412 wrote to memory of 3240	412	87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe	cmd.exe
PID 3240 wrote to memory of 2744	3240	cmd.exe	choice.exe
PID 3240 wrote to memory of 2744	3240	cmd.exe	choice.exe
PID 3652 wrote to memory of 3460	3652	smss.exe	schtasks.exe
PID 3652 wrote to memory of 3460	3652	smss.exe	schtasks.exe
PID 3652 wrote to memory of 4892	3652	smss.exe	schtasks.exe
PID 3652 wrote to memory of 4892	3652	smss.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe
"C:\Users\Admin\AppData\Local\Temp\87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3460

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\smss.exe
3⤵
- Creates scheduled task(s)
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
3⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
1⤵
- Executes dropped EXE
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\smss.exe.log
Filesize
319B

MD5
26ca4897aad21f536806c5e7925976e7

SHA1
f072e5b6bfd7ce28dbb16f162d9a4e05690fcbd8

SHA256
1c5b33fb22baaa5f9f1400e86f650aa4694387cdfa4835d3f60bebf203a491fd

SHA512
0f16a7f7fb34550bd91f042b2005cdc4233ca3e4be650abb832ff2f253358d7aa5fde1de4e1d9fc9e6cf971f1ed343ae6b575988083d9c4e3c6af96bdfb5d5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\smss.exe.log
Filesize
319B

MD5
26ca4897aad21f536806c5e7925976e7

SHA1
f072e5b6bfd7ce28dbb16f162d9a4e05690fcbd8

SHA256
1c5b33fb22baaa5f9f1400e86f650aa4694387cdfa4835d3f60bebf203a491fd

SHA512
0f16a7f7fb34550bd91f042b2005cdc4233ca3e4be650abb832ff2f253358d7aa5fde1de4e1d9fc9e6cf971f1ed343ae6b575988083d9c4e3c6af96bdfb5d5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
memory/412-18-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/412-0-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/412-17-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/412-14-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/412-1-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/412-2-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/412-5-0x000000001C0A0000-0x000000001C146000-memory.dmp

Filesize
664KB

Download
memory/412-4-0x000000001B590000-0x000000001B5A8000-memory.dmp

Filesize
96KB

Download
memory/412-3-0x000000001BB20000-0x000000001BFEE000-memory.dmp

Filesize
4.8MB

Download
memory/1048-46-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-48-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-47-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/2220-41-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/2220-43-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/2220-40-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/2828-30-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/2828-31-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/2828-33-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/3652-27-0x000000001E910000-0x000000001E929000-memory.dmp

Filesize
100KB

Download
memory/3652-28-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/3652-26-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/3652-25-0x00000000200E0000-0x0000000020142000-memory.dmp

Filesize
392KB

Download
memory/3652-24-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/3652-23-0x000000001DA80000-0x000000001DB1C000-memory.dmp

Filesize
624KB

Download
memory/3652-19-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/3652-16-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-38-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-37-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-36-0x00007FFB8D640000-0x00007FFB8DFE1000-memory.dmp

Filesize
9.6MB

Download