njrat | 2f151fa4d9786e8a2ade35155e48067a746dff0df62cbceeaf63cf0ff0a1d255

Analysis

max time kernel
1178s
max time network
1593s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamma.exe
Size

37KB
MD5

b762e3c934d650a7533c44f49cbb0646
SHA1

0d7a5cc37253fc09940a6a15932e504b07287019
SHA256

2f151fa4d9786e8a2ade35155e48067a746dff0df62cbceeaf63cf0ff0a1d255
SHA512

d14c52e667f04edad954a584e0eb34cc06ef127526ce8c7c9af68870969f1dc1e109cabe9c037725bd706bf5294aacc61218cab92f6fc571712e61dcbcd3351f
SSDEEP

384:iAnTAKiwB4aJzN5BLiFI4yUvaF//R+4oJ69vrAF+rMRTyN/0L+EcoinblneHQM3C:Zn5NP5TUva1Il6hrM+rMRa8Nu52Wt

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

5.39.43.50:1610

Mutex

c08d47000bf19b95a3ed7202fe1dc0f1

Attributes

reg_key
c08d47000bf19b95a3ed7202fe1dc0f1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4572	netsh.exe
2648	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
212	Realtek_High_Defenition_Audio_Device.exe
3068	tmp32D3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4408	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
212	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	3800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3800	AUDIODG.EXE
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	212	Realtek_High_Defenition_Audio_Device.exe
Token: 33	212	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 212	4428	gamma.exe	72
PID 4428 wrote to memory of 212	4428	gamma.exe	72
PID 4428 wrote to memory of 212	4428	gamma.exe	72
PID 212 wrote to memory of 4572	212	Realtek_High_Defenition_Audio_Device.exe	73
PID 212 wrote to memory of 4572	212	Realtek_High_Defenition_Audio_Device.exe	73
PID 212 wrote to memory of 4572	212	Realtek_High_Defenition_Audio_Device.exe	73
PID 212 wrote to memory of 3068	212	Realtek_High_Defenition_Audio_Device.exe	76
PID 212 wrote to memory of 3068	212	Realtek_High_Defenition_Audio_Device.exe	76
PID 212 wrote to memory of 2648	212	Realtek_High_Defenition_Audio_Device.exe	80
PID 212 wrote to memory of 2648	212	Realtek_High_Defenition_Audio_Device.exe	80
PID 212 wrote to memory of 2648	212	Realtek_High_Defenition_Audio_Device.exe	80
PID 212 wrote to memory of 828	212	Realtek_High_Defenition_Audio_Device.exe	82
PID 212 wrote to memory of 828	212	Realtek_High_Defenition_Audio_Device.exe	82
PID 212 wrote to memory of 828	212	Realtek_High_Defenition_Audio_Device.exe	82
PID 828 wrote to memory of 4408	828	cmd.exe	84
PID 828 wrote to memory of 4408	828	cmd.exe	84
PID 828 wrote to memory of 4408	828	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\gamma.exe
"C:\Users\Admin\AppData\Local\Temp\gamma.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe
  "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe" "Realtek_High_Defenition_Audio_Device.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0
      4⤵
      Runs ping.exe
      PID:4408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe

Filesize
37KB

MD5
b762e3c934d650a7533c44f49cbb0646

SHA1
0d7a5cc37253fc09940a6a15932e504b07287019

SHA256
2f151fa4d9786e8a2ade35155e48067a746dff0df62cbceeaf63cf0ff0a1d255

SHA512
d14c52e667f04edad954a584e0eb34cc06ef127526ce8c7c9af68870969f1dc1e109cabe9c037725bd706bf5294aacc61218cab92f6fc571712e61dcbcd3351f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe

Filesize
2.4MB

MD5
9e3a93e432c717e454c2cca1a9e3ffc7

SHA1
e2b683fa3abc39b3d1662a60ac957107492c0958

SHA256
0657e46807632cc7e3da0853fe1aa8e6d6c74de076c79ab3e0b9682943fbd949

SHA512
915bccca785552d9794aba0537bbacc85a08ec76eda3377d7bd4d5171c6a46d56adfa039939c541c5c8603028a98fbba47de7c58ee43d1babe24a77db9f19077

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe

Filesize
2.1MB

MD5
05ec18bf543bcf84a84061c6d056dac2

SHA1
2cd066b5799ab50a667260642bd294be40595b58

SHA256
c073a7de0ad23e4b06af45c54f3cd2bafab037ad676440fa816cd3e91b432b27

SHA512
a99e8d0345a6b334b5dd01ab657ad6ffbded8624ef7e520585babb9e12caabc8e019550b6d6f885d753db430c080b4be8b3b7f96343ad6cd037a4ca5eb2e02c6

Download Submit
memory/212-16-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/212-30-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download
memory/212-9-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download
memory/212-10-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/212-12-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download
memory/212-13-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/212-14-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download
memory/212-15-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/3068-23-0x00007FF867A00000-0x00007FF8683EC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-22-0x00000218BAC90000-0x00000218BB054000-memory.dmp

Filesize
3.8MB

Download
memory/3068-24-0x00000218D56E0000-0x00000218D56F0000-memory.dmp

Filesize
64KB

Download
memory/3068-27-0x00007FF867A00000-0x00007FF8683EC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-28-0x00000218D56E0000-0x00000218D56F0000-memory.dmp

Filesize
64KB

Download
memory/4428-11-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download
memory/4428-2-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/4428-0-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download
memory/4428-1-0x00000000732B0000-0x0000000073860000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads