njrat | 757d5c44cf044ca61b8402e96f8b8ae40e2cec3bd7fe7d78f24b77b44aa2ee95

Analysis

max time kernel
0s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e15599841999bf17e13b35c788489cd.exe
Size

124KB
MD5

1e15599841999bf17e13b35c788489cd
SHA1

21460a1c90ba2a8cb21e1419f10068b4ef4baa14
SHA256

757d5c44cf044ca61b8402e96f8b8ae40e2cec3bd7fe7d78f24b77b44aa2ee95
SHA512

154f7f8e2b85824b8bafa1c5ef589670031b58d4e1c037705fbd3deb08dfda8f10c96475f9859bbfcaf6ca081316569fad86e6764875ba997a67dc323c800267
SSDEEP

1536:mgJ+ABB2abuvLng2F6rhKTYCpqwJSzvOy9OqS:lIABEabqg2F6R

Score

10^/10

njrat kerieshka persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Kerieshka

2.tcp.ngrok.io:10497

Mutex

95fdec38e3b8066027596a6d420c4af3

Attributes

reg_key
95fdec38e3b8066027596a6d420c4af3
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
3052	AbcV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\AbcV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AbcV.exe"	AbcV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AbcV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AbcV.exe"	AbcV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	1e15599841999bf17e13b35c788489cd.exe
Token: SeDebugPrivilege	3052	AbcV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3052	880	1e15599841999bf17e13b35c788489cd.exe	17
PID 880 wrote to memory of 3052	880	1e15599841999bf17e13b35c788489cd.exe	17
PID 880 wrote to memory of 3052	880	1e15599841999bf17e13b35c788489cd.exe	17
PID 3052 wrote to memory of 2288	3052	AbcV.exe	16
PID 3052 wrote to memory of 2288	3052	AbcV.exe	16
PID 3052 wrote to memory of 2288	3052	AbcV.exe	16

C:\Users\Admin\AppData\Local\Temp\1e15599841999bf17e13b35c788489cd.exe
"C:\Users\Admin\AppData\Local\Temp\1e15599841999bf17e13b35c788489cd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\AbcV.exe
  "C:\Users\Admin\AppData\Local\Temp\AbcV.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 476
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AbcV.exe

Filesize
17KB

MD5
6983553881377cab990ecc0b8761edbb

SHA1
c42e412dc3c0b576e8ace8ea745a4eeb2388d7e2

SHA256
4add01328ffd9f5175f57e7ca350e922c870b825cff4644eb383263229e3db13

SHA512
aaebd7f75ffd2e6c105e9141bcc129cd0747a1e36b3f60b66a59cc179b330739b891a313f157e3e7869b4e6cbb542889ff50768a383f6c79449c2e497e0677ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbcV.exe

Filesize
9KB

MD5
b358c19bd07ae0d2523318b91659ffcc

SHA1
34f4102b1e8df04630adf9b820269f497f19ef12

SHA256
c879f27c51eb1747b3ad60783244b47447e1a1b26287902b7ed3b7973f3b3493

SHA512
70aeb97a2ad569a463f891094f9aa2fbfe450ff187ed6ff130ca11e2897403e7625d2e60abe90c8caa645aeff5759f26912dac7d324ff31a54be1a4d43d388e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbcV.exe

Filesize
32KB

MD5
c31e96e3b9dcc926dcf9e725dbcfb1f1

SHA1
891a290b1a5386bd268e0fd9622a03db074b5155

SHA256
14f72aa8d81a4e961876bc0a3e4da18a7f7040e43002ef74cc2837d9551307e3

SHA512
367548f6b853eda22bd7350aadf0be74c059f0cda6c57f2f6e3100f04eda3553a3558083dfa6847926b2b3202c2aa48e3773cc65601737b515f331ffb83dc679

Download Submit
memory/880-9-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-13-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/3052-8-0x0000000000960000-0x0000000000980000-memory.dmp

Filesize
128KB

Download
memory/3052-10-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/3052-12-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-11-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-14-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads