njrat | cf317453c3b9c8f13467a034f2a350fac57a7cfe2c038a86d9f706906fb2b6dc

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fce93d7a0ba558b2de26cecc8f9d57d.exe
Size

455KB
MD5

7fce93d7a0ba558b2de26cecc8f9d57d
SHA1

e957a6a02e091358888a7ca30e77652df102464e
SHA256

cf317453c3b9c8f13467a034f2a350fac57a7cfe2c038a86d9f706906fb2b6dc
SHA512

7f45fbaefc32e8b24790b137ee77c044e8ca3619c61d71db62a0307ed98e2102da607df496385ca82c49a093d57117de022e5e3d933062cad2e320e8688fbb6f
SSDEEP

6144:Od2/yLTYnbgz2q/ZyKphVdvoe77GUZqKCXF1x3HOb2YyPPD71lhNlOQ5JmpD:F/yPYb6wGv+U7cXOBQD3/e

Score

10^/10

njrat 14.04.2017 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

14.04.2017

ytka.duckdns.org:1604

Mutex

ed423977d6a5549373be05c39703ea7d

Attributes

reg_key
ed423977d6a5549373be05c39703ea7d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2364 netsh.exe
Drops startup file 1 IoCs

Processes:

doclan.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe
Executes dropped EXE 4 IoCs

Processes:

BitsProg.exedoclan.execonhost.execonhost.exe

pid process

2892 BitsProg.exe
2348 doclan.exe
2884 conhost.exe
1460 conhost.exe
Loads dropped DLL 3 IoCs

Processes:

doclan.exe

pid process

2348 doclan.exe
2348 doclan.exe
2348 doclan.exe

pid	process
2364	netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk	doclan.exe

pid	process
2892	BitsProg.exe
2348	doclan.exe
2884	conhost.exe
1460	conhost.exe

pid	process
2348	doclan.exe
2348	doclan.exe
2348	doclan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

conhost.exe

description	ioc	process
File created	F:\autorun.inf	conhost.exe
File opened for modification	F:\autorun.inf	conhost.exe
File created	C:\autorun.inf	conhost.exe
File opened for modification	C:\autorun.inf	conhost.exe
File created	D:\autorun.inf	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\doclan.exe	nsis_installer_1
C:\ProgramData\doclan.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2236 taskkill.exe

pid	process
2236	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe
1460	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

1460 conhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

taskkill.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe
Token: 33	1460	conhost.exe
Token: SeIncBasePriorityPrivilege	1460	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7fce93d7a0ba558b2de26cecc8f9d57d.exedoclan.execonhost.execonhost.exe

description	pid	process	target process
PID 2200 wrote to memory of 2892	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	BitsProg.exe
PID 2200 wrote to memory of 2892	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	BitsProg.exe
PID 2200 wrote to memory of 2892	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	BitsProg.exe
PID 2200 wrote to memory of 2348	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 2200 wrote to memory of 2348	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 2200 wrote to memory of 2348	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 2200 wrote to memory of 2348	2200	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 2348 wrote to memory of 2884	2348	doclan.exe	conhost.exe
PID 2348 wrote to memory of 2884	2348	doclan.exe	conhost.exe
PID 2348 wrote to memory of 2884	2348	doclan.exe	conhost.exe
PID 2348 wrote to memory of 2884	2348	doclan.exe	conhost.exe
PID 2884 wrote to memory of 1460	2884	conhost.exe	conhost.exe
PID 2884 wrote to memory of 1460	2884	conhost.exe	conhost.exe
PID 2884 wrote to memory of 1460	2884	conhost.exe	conhost.exe
PID 1460 wrote to memory of 2364	1460	conhost.exe	netsh.exe
PID 1460 wrote to memory of 2364	1460	conhost.exe	netsh.exe
PID 1460 wrote to memory of 2364	1460	conhost.exe	netsh.exe
PID 1460 wrote to memory of 2236	1460	conhost.exe	taskkill.exe
PID 1460 wrote to memory of 2236	1460	conhost.exe	taskkill.exe
PID 1460 wrote to memory of 2236	1460	conhost.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe
"C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\ProgramData\BitsProg.exe
"C:\ProgramData\BitsProg.exe"
2⤵
- Executes dropped EXE
PID:2892

C:\ProgramData\doclan.exe
"C:\ProgramData\doclan.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2364

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BitsProg.exe
Filesize
46KB

MD5
4aba833aab8032707642515bebc59d1b

SHA1
d5079efd8335aa23162f0165abf426d21a105607

SHA256
822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad

SHA512
25c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14

Download Submit
C:\ProgramData\doclan.exe
Filesize
396KB

MD5
b9388102124c0d070b2ae86908938b41

SHA1
bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6

SHA256
f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779

SHA512
f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
1.0MB

MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
553KB

MD5
ae75d40102dda007891aa83aada20c26

SHA1
61366eb56d2f5cfc6e05b2f8b7b389b22f2905f1

SHA256
5c430c4a7364c6f1115beb0176ae53b65ebed872eeeb1a7dc6d53927a77a323a

SHA512
a18fba1c24972e01a02f466fdaf95bd1214ca682b035e59f7289b952cb3d18be505ac3e1a3c4ad84352fa22fd2aabb17e4d684c928c053b35801cc298ba3f945

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
Filesize
641KB

MD5
d98bdce1bd880ede97625a1c352cdd63

SHA1
77fcfd979ed3d8400d56dcfdde246a97e490b1fa

SHA256
9fb3e241c5976382f323a57bc7262800a39bb21d9fcce5fc2ca0c87798129d62

SHA512
9e86fa2e131b48f112ba1a423c7c6269b9b52bba66300b99fd27157baa3d36534e6cf996f8f349b6e5e4fe8ea22469454ff1d47c12e543afe4646e85be8c623f

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
Filesize
562KB

MD5
8c8a4eda0a81b90524fb643065b3213f

SHA1
0c869e96f609776615fa4d5aafb867f0bf4cba1f

SHA256
e848fd8907e3d93ecb078004f43d36428e45dfcf1d17eaa033f09a84aab17236

SHA512
af5ffa287ac280f18d7bb6ef0a268fdbfc86728edcc5b0e40519e994c3bcd1fa0f5b6dcdea010b18c20ec49e62361f3237ad34d2856dd81b01d58ac4a118d194

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
Filesize
781KB

MD5
452ca4d9b9257dc7b82acbcf1c5fc67b

SHA1
a6c4df84fe9bd1232cc4181bbde3d8581f5b7dc6

SHA256
7a90995136dab545a2774413673790bd348ec52bdeac628d2774e3504dc6b23f

SHA512
0d91db451f502533bd9110267923830e5a620ef7b2e81ed0a26093c77d6a676ad655b38a40351b9ddf2fcfb8ce6c2d32385cc8a4b6847065b2fce8f2c54b8c15

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
Filesize
634KB

MD5
04fad8bf6d861a107a2013de6661b709

SHA1
5abddcc23bc9d228e2035b01881f941aa9b6c8b0

SHA256
e1f2ebb5614db0b12163835a0cc37d0411d45670afe7fb6296996b9b7e543de1

SHA512
7da0295897ee815547e61d19bede86345c5e90c84b8a0e29b19274c70ff55cd942e34cd75ca4533321ae345f3e74ea27a389e2394079b81aeff242ff5fb7634c

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
Filesize
511KB

MD5
18ae2c037859c758aec5605c391e020b

SHA1
1cb1aded142e84fa1472622eaf13c5907198ec6f

SHA256
086472e4594293e71bae02e86b335d8dc2b686817e98eb85c45f85eb276cb1a6

SHA512
34b7233e6d341ebe33899d32fd440ad112bde05202cb5f450532c44befe118fe6945cd130590257ddabe9f8f3155d089d73d7b3036d37d25cc913a64de079996

Download Submit
memory/1460-50-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/1460-56-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/1460-53-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/1460-48-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/1460-47-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/1460-52-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/1460-54-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/1460-55-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/1460-51-0x000000001ADE0000-0x000000001AE60000-memory.dmp

Filesize
512KB

Download
memory/2200-0-0x0000000000210000-0x0000000000286000-memory.dmp

Filesize
472KB

Download
memory/2200-1-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-14-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-32-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2884-35-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2884-34-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-38-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2884-39-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2884-31-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2884-28-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/2884-24-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/2884-25-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-49-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-29-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2892-9-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/2892-37-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2892-36-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2892-33-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-30-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2892-13-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download