njrat | 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
Size

93KB
MD5

fcf64d897dc4dd3e3e49f23236a90f78
SHA1

3ed20b44d33fbd84c3daa329d8a711841100fcc6
SHA256

0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222
SHA512

000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37
SSDEEP

768:oY305yD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3vsGO:k5IOx6baIa9RZj00ljEwzGi1dDbD4gS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:15904

Mutex

0898e831b8671183b1f71cc16112d0b9

Attributes

reg_key
0898e831b8671183b1f71cc16112d0b9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2868	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0898e831b8671183b1f71cc16112d0b9Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0898e831b8671183b1f71cc16112d0b9Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Executes dropped EXE 4 IoCs

pid	Process
2828	server.exe
2632	StUpdate.exe
1592	StUpdate.exe
2372	StUpdate.exe

Loads dropped DLL 11 IoCs

pid	Process
2512	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
2512	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
2632	StUpdate.exe
2632	StUpdate.exe
2632	StUpdate.exe
1592	StUpdate.exe
1592	StUpdate.exe
1592	StUpdate.exe
2372	StUpdate.exe
2372	StUpdate.exe
2372	StUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe
2828	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe
Token: 33	2828	server.exe
Token: SeIncBasePriorityPrivilege	2828	server.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2828	2512	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	28
PID 2512 wrote to memory of 2828	2512	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	28
PID 2512 wrote to memory of 2828	2512	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	28
PID 2512 wrote to memory of 2828	2512	0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe	28
PID 2828 wrote to memory of 2868	2828	server.exe	29
PID 2828 wrote to memory of 2868	2828	server.exe	29
PID 2828 wrote to memory of 2868	2828	server.exe	29
PID 2828 wrote to memory of 2868	2828	server.exe	29
PID 2828 wrote to memory of 2720	2828	server.exe	31
PID 2828 wrote to memory of 2720	2828	server.exe	31
PID 2828 wrote to memory of 2720	2828	server.exe	31
PID 2828 wrote to memory of 2720	2828	server.exe	31
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 2632	2684	taskeng.exe	34
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 1592	2684	taskeng.exe	37
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38
PID 2684 wrote to memory of 2372	2684	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
"C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    3⤵
    - Creates scheduled task(s)
    PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {BD53D36B-48F1-42FC-BA8A-D345480469AC} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
  C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
  C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
  C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
fcf64d897dc4dd3e3e49f23236a90f78

SHA1
3ed20b44d33fbd84c3daa329d8a711841100fcc6

SHA256
0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222

SHA512
000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
311d687faffaed10f44ea27c024986b6

SHA1
eece910ea8cb7aed467e2e7700f7c223d3fbbc9e

SHA256
608547d80bf0e4b3d9cfffd324702b4aa38db2f0bfb3db4bd517b556fdf4de2b

SHA512
296d2cbbbf39917b174682a73e571a98130b2fe1c2dcb7c84adbd185a0b3a81384ad556e3a88cdeaa01fbd5cb486c58c1e1dff22f77cd3e9df7315b93355272b

Download Submit
memory/1592-57-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-54-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-65-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-62-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-14-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-0-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-2-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-1-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2632-46-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-49-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-17-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-40-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-15-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download