njrat | 56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 12:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97315a68b07a037396f793482dcb17f0.exe
Size

1.3MB
MD5

97315a68b07a037396f793482dcb17f0
SHA1

dfa2c6932c334883995ebdcdb2ffaddb65264f60
SHA256

56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
SHA512

1059faac37638ee2f5111468b9a65659f24acb6c0f8dcc358eb89c884cc567ddd97c6bad2fac3c619651afc1b234b82533390d426800482f26b10d5335af8ef3
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9PDWHSb4NhfkbRPzeZBOBZ6ielDz8:2nsHyjtk2MYC5GDY84TOEuBkhNz8

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2040	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e706c362819b2b8298ebedae1f9efe49.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e706c362819b2b8298ebedae1f9efe49.exe	svchost.exe

Executes dropped EXE 8 IoCs

pid	Process
2264	._cache_97315a68b07a037396f793482dcb17f0.exe
2896	Synaptics.exe
2540	._cache_Synaptics.exe
2180	urok.sfx.exe
2880	Urok.exe
1600	urok.sfx.exe
1896	Urok.exe
3028	svchost.exe

Loads dropped DLL 14 IoCs

pid	Process
2240	97315a68b07a037396f793482dcb17f0.exe
2240	97315a68b07a037396f793482dcb17f0.exe
2240	97315a68b07a037396f793482dcb17f0.exe
2896	Synaptics.exe
2896	Synaptics.exe
2708	cmd.exe
2180	urok.sfx.exe
2180	urok.sfx.exe
2180	urok.sfx.exe
2936	cmd.exe
1600	urok.sfx.exe
1600	urok.sfx.exe
1600	urok.sfx.exe
1896	Urok.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e706c362819b2b8298ebedae1f9efe49 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	97315a68b07a037396f793482dcb17f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\e706c362819b2b8298ebedae1f9efe49 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
2880	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
1896	Urok.exe
2880	Urok.exe
1896	Urok.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	Urok.exe
Token: SeDebugPrivilege	1896	Urok.exe
Token: SeDebugPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe
Token: 33	3028	svchost.exe
Token: SeIncBasePriorityPrivilege	3028	svchost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2264	2240	97315a68b07a037396f793482dcb17f0.exe	28
PID 2240 wrote to memory of 2264	2240	97315a68b07a037396f793482dcb17f0.exe	28
PID 2240 wrote to memory of 2264	2240	97315a68b07a037396f793482dcb17f0.exe	28
PID 2240 wrote to memory of 2264	2240	97315a68b07a037396f793482dcb17f0.exe	28
PID 2240 wrote to memory of 2896	2240	97315a68b07a037396f793482dcb17f0.exe	29
PID 2240 wrote to memory of 2896	2240	97315a68b07a037396f793482dcb17f0.exe	29
PID 2240 wrote to memory of 2896	2240	97315a68b07a037396f793482dcb17f0.exe	29
PID 2240 wrote to memory of 2896	2240	97315a68b07a037396f793482dcb17f0.exe	29
PID 2264 wrote to memory of 2708	2264	._cache_97315a68b07a037396f793482dcb17f0.exe	30
PID 2264 wrote to memory of 2708	2264	._cache_97315a68b07a037396f793482dcb17f0.exe	30
PID 2264 wrote to memory of 2708	2264	._cache_97315a68b07a037396f793482dcb17f0.exe	30
PID 2264 wrote to memory of 2708	2264	._cache_97315a68b07a037396f793482dcb17f0.exe	30
PID 2896 wrote to memory of 2540	2896	Synaptics.exe	32
PID 2896 wrote to memory of 2540	2896	Synaptics.exe	32
PID 2896 wrote to memory of 2540	2896	Synaptics.exe	32
PID 2896 wrote to memory of 2540	2896	Synaptics.exe	32
PID 2708 wrote to memory of 2180	2708	cmd.exe	33
PID 2708 wrote to memory of 2180	2708	cmd.exe	33
PID 2708 wrote to memory of 2180	2708	cmd.exe	33
PID 2708 wrote to memory of 2180	2708	cmd.exe	33
PID 2180 wrote to memory of 2880	2180	urok.sfx.exe	34
PID 2180 wrote to memory of 2880	2180	urok.sfx.exe	34
PID 2180 wrote to memory of 2880	2180	urok.sfx.exe	34
PID 2180 wrote to memory of 2880	2180	urok.sfx.exe	34
PID 2540 wrote to memory of 2936	2540	._cache_Synaptics.exe	35
PID 2540 wrote to memory of 2936	2540	._cache_Synaptics.exe	35
PID 2540 wrote to memory of 2936	2540	._cache_Synaptics.exe	35
PID 2540 wrote to memory of 2936	2540	._cache_Synaptics.exe	35
PID 2936 wrote to memory of 1600	2936	cmd.exe	37
PID 2936 wrote to memory of 1600	2936	cmd.exe	37
PID 2936 wrote to memory of 1600	2936	cmd.exe	37
PID 2936 wrote to memory of 1600	2936	cmd.exe	37
PID 1600 wrote to memory of 1896	1600	urok.sfx.exe	38
PID 1600 wrote to memory of 1896	1600	urok.sfx.exe	38
PID 1600 wrote to memory of 1896	1600	urok.sfx.exe	38
PID 1600 wrote to memory of 1896	1600	urok.sfx.exe	38
PID 1896 wrote to memory of 3028	1896	Urok.exe	41
PID 1896 wrote to memory of 3028	1896	Urok.exe	41
PID 1896 wrote to memory of 3028	1896	Urok.exe	41
PID 1896 wrote to memory of 3028	1896	Urok.exe	41
PID 3028 wrote to memory of 2040	3028	svchost.exe	42
PID 3028 wrote to memory of 2040	3028	svchost.exe	42
PID 3028 wrote to memory of 2040	3028	svchost.exe	42
PID 3028 wrote to memory of 2040	3028	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\97315a68b07a037396f793482dcb17f0.exe
"C:\Users\Admin\AppData\Local\Temp\97315a68b07a037396f793482dcb17f0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\._cache_97315a68b07a037396f793482dcb17f0.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_97315a68b07a037396f793482dcb17f0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\urok.sfx.exe
      urok.sfx.exe -p102938475647382910
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Urok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Urok.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\1.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\urok.sfx.exe
        
        urok.sfx.exe -p102938475647382910
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\RarSFX3\Urok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Urok.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
97315a68b07a037396f793482dcb17f0

SHA1
dfa2c6932c334883995ebdcdb2ffaddb65264f60

SHA256
56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b

SHA512
1059faac37638ee2f5111468b9a65659f24acb6c0f8dcc358eb89c884cc567ddd97c6bad2fac3c619651afc1b234b82533390d426800482f26b10d5335af8ef3

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
adeac92b247a3986299916161c9f4dd1

SHA1
4471817172cb0e27d2d448db7cc9e8197490c951

SHA256
b637e4a98b661030a445d3317af8131d9510461714d00fe8adac3cf0f9bed45f

SHA512
c2037239632a46c381011dd7c088955fbd5a91745dbb60f959e1bd1831f1a54492aeaeaaabbb049c4cef35475b142e311d8a94adad88b2985379a8ebc1f2912c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
50B

MD5
da12212349f5e5c3ba8e85d5c0d9c8c6

SHA1
ee656e19649a0d607b539518463d4ebcee10eb2a

SHA256
853e687799d2fd63be276021b708992bbf4ee115ebf2ccd630e0dee6c4bd1ad0

SHA512
9f6f9f998842f0f96986ccf85c3fe0b47fa979c4aad4f84a7e21bb2460e1b97ad3e199b55556f9e64aa252277e9895230718dd81579938cb44dca5432e3d632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\urok.sfx.exe

Filesize
389KB

MD5
a460fffc2c6e8ea6eb6fb9a1f200659b

SHA1
0e26ee1bc8e556811de509dc372289f00b392488

SHA256
ffaa1a7b828503552fd013edfa3a9e77471fceb0f74ca06f0f3b734606d83e0e

SHA512
a3939c0f8263db2fb2ea105752c4fcdc3541845802a51a68837e931720611ec453cd1d487c2919b98417694399f4a4125751a7ce54adff84f622df9c7d6ce846

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
960KB

MD5
23dfbbcf2cd9990ced8d143a04b85bf3

SHA1
93e2e62d3dfcf539994d65517f85a910833333da

SHA256
1527134fe953b26ec83de334dd142738406c7000ba52fab6135d002178733fc7

SHA512
83d4fc8561148a5f02b54d5d43b6b1bb506255279a5da568eaddae5a9173726516dca958b82d1c227b5fb33a844a9012160a5d2275672d3d1b70c493a047ed88

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_97315a68b07a037396f793482dcb17f0.exe

Filesize
553KB

MD5
551bf9371bc12d68574a35bf57c1071e

SHA1
e88e375c10382f0774d2395dc6acd3b0eb315eb5

SHA256
2b855967c86dfc12633a34e5109e316b16b9361f8c28d0fa78c377217805f5e2

SHA512
44d856a0507cfa1e54ec672603c110591f20d30dadb2dbbbfda301f732629a30ce3fdfcb12a0e9bac2b2723d40b0e450547f4446959ca5d1c4025172d4c03240

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
448KB

MD5
3671aef55835a2e0430e45db3d5160f5

SHA1
66f153507f32ca23849e1f2b588609d2690ee63c

SHA256
2ab459bdd67a5755ca6afe9a5d4f4bf29426a42682dd6f531088bfcbeaa4cfbf

SHA512
2577710d26e04636266ec406eca936b682a736d282555b896333e7708b4a52b11b6d67a4f22dc37f0b0673388bc8579020dd670ab908472a74a48afbf8483100

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\urok.exe

Filesize
157KB

MD5
b8e356486d1d3be1e110d1cec6ed1d28

SHA1
48891d7234ce7c4ea1bb9310291de040e532f940

SHA256
05948bd9390e71fc8cf7bc5bcde97f99b1efb800916281c95a58bc74437bae54

SHA512
a72bf62dd1bafb30ca82bb6cb1cce5916c9bf817702caf92666be7af4c5b01a0e00d75a6cd09b399274e12632c0609dc506f3477a95661ab89766d1b1eb29b71

Download Submit
memory/1896-111-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/1896-123-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/1896-110-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2240-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2240-26-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2880-109-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-108-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-112-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2880-115-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-130-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2896-127-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2896-129-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2896-27-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2896-167-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/3028-124-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-125-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/3028-126-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-132-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-133-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/3028-134-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download