njrat | 554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986 | Triage

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 01:16

Sharing

Report Analysis Logs

General

Target

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Size

158KB
MD5

3eb8c476c0abcd01fdb799de83503e12
SHA1

138aa012bb3b20a79aaf016af172a1b3106a7304
SHA256

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986
SHA512

ed277e52d5348d1401a51f002e9f03bfada6481b2cab827f13fa39d54f5c42d4e4ac6627ced47f98fbc22010b044fb0d09b55c6133fc2746e9e78234975c2f85
SSDEEP

3072:tf/J2ULiTehI8FrkZTFieSzoSUYSziUP0ZMJG:32UL2i9FKFHd4SziUP0

Score

10^/10

njrat mybot evasion trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

asero23.ddns.net:5552

Mutex

863290bfb622fdfe0ad4e1b97536ae62

863290bfb622fdfe0ad4e1b97536ae62

Attributes

reg_key
863290bfb622fdfe0ad4e1b97536ae62
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3644-0-0x0000000000400000-0x000000000046B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exex	UPX
behavioral2/memory/3644-10-0x0000000000400000-0x000000000046B000-memory.dmp	UPX

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3868 netsh.exe
Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe
Executes dropped EXE 1 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

pid process

3452 554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3644-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exex	upx
behavioral2/memory/3644-10-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

description	pid	process	target process
PID 3644 set thread context of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

pid	process
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

pid	process
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

description	pid	process
Token: SeDebugPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

pid	process
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.execmd.exenet.exe554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

description	pid	process	target process
PID 3644 wrote to memory of 468	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	cmd.exe
PID 3644 wrote to memory of 468	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	cmd.exe
PID 3644 wrote to memory of 468	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	cmd.exe
PID 3644 wrote to memory of 1516	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	cmd.exe
PID 3644 wrote to memory of 1516	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	cmd.exe
PID 3644 wrote to memory of 1516	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	cmd.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 3644 wrote to memory of 3452	3644	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
PID 1516 wrote to memory of 2780	1516	cmd.exe	net.exe
PID 1516 wrote to memory of 2780	1516	cmd.exe	net.exe
PID 1516 wrote to memory of 2780	1516	cmd.exe	net.exe
PID 2780 wrote to memory of 4408	2780	net.exe	net1.exe
PID 2780 wrote to memory of 4408	2780	net.exe	net1.exe
PID 2780 wrote to memory of 4408	2780	net.exe	net1.exe
PID 3452 wrote to memory of 3868	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	netsh.exe
PID 3452 wrote to memory of 3868	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	netsh.exe
PID 3452 wrote to memory of 3868	3452	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
"C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:468

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe" "554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Filesize
104KB

MD5
7bae06cbe364bb42b8c34fcfb90e3ebd

SHA1
79129af7efa46244da0676607242f0a6b7e12e78

SHA256
6ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a

SHA512
c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exex
Filesize
158KB

MD5
3eb8c476c0abcd01fdb799de83503e12

SHA1
138aa012bb3b20a79aaf016af172a1b3106a7304

SHA256
554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986

SHA512
ed277e52d5348d1401a51f002e9f03bfada6481b2cab827f13fa39d54f5c42d4e4ac6627ced47f98fbc22010b044fb0d09b55c6133fc2746e9e78234975c2f85

Download Submit
memory/3452-2-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3452-6-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-8-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/3452-7-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-11-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-12-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-13-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/3644-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3644-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download