njrat | d094b3e64b1ac779565c1819f7f1b4041b5fa901e74f0cad9d3d376c506635d9

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c65ca4f6d2c653e18e0d795ba0cb0c89.exe
Size

65KB
MD5

c65ca4f6d2c653e18e0d795ba0cb0c89
SHA1

543c228d35fb48b5b147aa47cab2b76ef9e6c19b
SHA256

d094b3e64b1ac779565c1819f7f1b4041b5fa901e74f0cad9d3d376c506635d9
SHA512

b3e5b167372f41210c15f9907f4cbfdbb62cdec5b3334449b2e7d178b57a10f21cb189461080f1298d6bc9f7468acfab84dde6402184a8d5600458c2ac1a16e3
SSDEEP

1536:jU+u2LoN36tcQviFw1A+HIBnvbwfLteF3nLrB9z3nUaF9bkS9vM:jU+uIoN36tcQviFC9oBn8fWl9zkaF9bU

Score

10^/10

njrat njrat persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

njRat

127.0.0.1:21679

Mutex

HDAudio.exe

Attributes

reg_key
HDAudio.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe

Executes dropped EXE 3 IoCs

pid	Process
2524	HDAudio.exe
2800	HDAudio.exe
2132	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HDAudio.exe	c65ca4f6d2c653e18e0d795ba0cb0c89.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2804	schtasks.exe
1860	schtasks.exe
1584	schtasks.exe
2640	schtasks.exe
1792	schtasks.exe
2848	schtasks.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe
Token: 33	2524	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2524	HDAudio.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2524	1640	c65ca4f6d2c653e18e0d795ba0cb0c89.exe	28
PID 1640 wrote to memory of 2524	1640	c65ca4f6d2c653e18e0d795ba0cb0c89.exe	28
PID 1640 wrote to memory of 2524	1640	c65ca4f6d2c653e18e0d795ba0cb0c89.exe	28
PID 1640 wrote to memory of 2524	1640	c65ca4f6d2c653e18e0d795ba0cb0c89.exe	28
PID 2524 wrote to memory of 2432	2524	HDAudio.exe	29
PID 2524 wrote to memory of 2432	2524	HDAudio.exe	29
PID 2524 wrote to memory of 2432	2524	HDAudio.exe	29
PID 2524 wrote to memory of 2432	2524	HDAudio.exe	29
PID 2524 wrote to memory of 2804	2524	HDAudio.exe	31
PID 2524 wrote to memory of 2804	2524	HDAudio.exe	31
PID 2524 wrote to memory of 2804	2524	HDAudio.exe	31
PID 2524 wrote to memory of 2804	2524	HDAudio.exe	31
PID 2832 wrote to memory of 2800	2832	taskeng.exe	34
PID 2832 wrote to memory of 2800	2832	taskeng.exe	34
PID 2832 wrote to memory of 2800	2832	taskeng.exe	34
PID 2832 wrote to memory of 2800	2832	taskeng.exe	34
PID 2524 wrote to memory of 1892	2524	HDAudio.exe	35
PID 2524 wrote to memory of 1892	2524	HDAudio.exe	35
PID 2524 wrote to memory of 1892	2524	HDAudio.exe	35
PID 2524 wrote to memory of 1892	2524	HDAudio.exe	35
PID 2524 wrote to memory of 1860	2524	HDAudio.exe	37
PID 2524 wrote to memory of 1860	2524	HDAudio.exe	37
PID 2524 wrote to memory of 1860	2524	HDAudio.exe	37
PID 2524 wrote to memory of 1860	2524	HDAudio.exe	37
PID 2524 wrote to memory of 2368	2524	HDAudio.exe	41
PID 2524 wrote to memory of 2368	2524	HDAudio.exe	41
PID 2524 wrote to memory of 2368	2524	HDAudio.exe	41
PID 2524 wrote to memory of 2368	2524	HDAudio.exe	41
PID 2524 wrote to memory of 1584	2524	HDAudio.exe	43
PID 2524 wrote to memory of 1584	2524	HDAudio.exe	43
PID 2524 wrote to memory of 1584	2524	HDAudio.exe	43
PID 2524 wrote to memory of 1584	2524	HDAudio.exe	43
PID 2524 wrote to memory of 3056	2524	HDAudio.exe	45
PID 2524 wrote to memory of 3056	2524	HDAudio.exe	45
PID 2524 wrote to memory of 3056	2524	HDAudio.exe	45
PID 2524 wrote to memory of 3056	2524	HDAudio.exe	45
PID 2524 wrote to memory of 2640	2524	HDAudio.exe	47
PID 2524 wrote to memory of 2640	2524	HDAudio.exe	47
PID 2524 wrote to memory of 2640	2524	HDAudio.exe	47
PID 2524 wrote to memory of 2640	2524	HDAudio.exe	47
PID 2832 wrote to memory of 2132	2832	taskeng.exe	49
PID 2832 wrote to memory of 2132	2832	taskeng.exe	49
PID 2832 wrote to memory of 2132	2832	taskeng.exe	49
PID 2832 wrote to memory of 2132	2832	taskeng.exe	49
PID 2524 wrote to memory of 1592	2524	HDAudio.exe	50
PID 2524 wrote to memory of 1592	2524	HDAudio.exe	50
PID 2524 wrote to memory of 1592	2524	HDAudio.exe	50
PID 2524 wrote to memory of 1592	2524	HDAudio.exe	50
PID 2524 wrote to memory of 1792	2524	HDAudio.exe	52
PID 2524 wrote to memory of 1792	2524	HDAudio.exe	52
PID 2524 wrote to memory of 1792	2524	HDAudio.exe	52
PID 2524 wrote to memory of 1792	2524	HDAudio.exe	52
PID 2524 wrote to memory of 2896	2524	HDAudio.exe	54
PID 2524 wrote to memory of 2896	2524	HDAudio.exe	54
PID 2524 wrote to memory of 2896	2524	HDAudio.exe	54
PID 2524 wrote to memory of 2896	2524	HDAudio.exe	54
PID 2524 wrote to memory of 2848	2524	HDAudio.exe	56
PID 2524 wrote to memory of 2848	2524	HDAudio.exe	56
PID 2524 wrote to memory of 2848	2524	HDAudio.exe	56
PID 2524 wrote to memory of 2848	2524	HDAudio.exe	56

C:\Users\Admin\AppData\Local\Temp\c65ca4f6d2c653e18e0d795ba0cb0c89.exe
"C:\Users\Admin\AppData\Local\Temp\c65ca4f6d2c653e18e0d795ba0cb0c89.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\HDAudio.exe
  "C:\Windows\HDAudio.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2848

C:\Windows\system32\taskeng.exe
taskeng.exe {3342A362-33A4-400D-974D-726DF85656A1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HDAudio.exe

Filesize
65KB

MD5
c65ca4f6d2c653e18e0d795ba0cb0c89

SHA1
543c228d35fb48b5b147aa47cab2b76ef9e6c19b

SHA256
d094b3e64b1ac779565c1819f7f1b4041b5fa901e74f0cad9d3d376c506635d9

SHA512
b3e5b167372f41210c15f9907f4cbfdbb62cdec5b3334449b2e7d178b57a10f21cb189461080f1298d6bc9f7468acfab84dde6402184a8d5600458c2ac1a16e3

Download Submit
memory/1640-0-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-2-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-1-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/1640-12-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-22-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-25-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-24-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-23-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/2524-9-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-17-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2524-16-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-11-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-10-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2800-19-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-20-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads