njrat | hxxps://github[.]com/simalei/njRAT/archive/refs/heads/master[.]zip

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/simalei/njRAT/archive/refs/heads/master.zip

Score

10^/10

njrat mybot trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

127.0.0.1:6522

Mutex

08b95e8031023f327813eef69063752a

Attributes

reg_key
08b95e8031023f327813eef69063752a
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

dotNET_Reactor.exe

pid process

5920 dotNET_Reactor.exe

pid	process
5920	dotNET_Reactor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 52 IoCs

Processes:

NjRat 0.7D.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000000000002000000ffffffff	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NjRat 0.7D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	NjRat 0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	NjRat 0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "9"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "8"	NjRat 0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 6000310000000000a358751610004e4a524154307e312e374400460009000400efbea3587516a35875162e000000ca3c020000000a00000000000000000000000000000021e310004e006a00520061007400200030002e003700440000001a000000	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	NjRat 0.7D.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
2144	msedge.exe
2144	msedge.exe
4688	msedge.exe
4688	msedge.exe
5088	identity_helper.exe
5088	identity_helper.exe
5052	msedge.exe
5052	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 5608 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5608 AUDIODG.EXE

description	pid	process
Token: 33	5608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5608	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeNjRat Lime Edition 0.8.0.exeNjRat 0.7D.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5824	NjRat 0.7D.exe
5824	NjRat 0.7D.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

msedge.exeNjRat Lime Edition 0.8.0.exeNjRat 0.7D.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5496	NjRat Lime Edition 0.8.0.exe
5824	NjRat 0.7D.exe
5824	NjRat 0.7D.exe
5824	NjRat 0.7D.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NjRat 0.7D.exe

pid process

5824 NjRat 0.7D.exe

pid	process
5824	NjRat 0.7D.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4688 wrote to memory of 3164	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3164	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 884	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2144	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2144	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 3244	4688	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/simalei/njRAT/archive/refs/heads/master.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6d8e46f8,0x7ffa6d8e4708,0x7ffa6d8e4718
2⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
2⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
2⤵
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5548 /prefetch:8
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3016 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
2⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
2⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7672140552973884861,1793563319832998644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1992

C:\Users\Admin\Desktop\njRAT Lime Edition\NjRat Lime Edition 0.8.0.exe
"C:\Users\Admin\Desktop\njRAT Lime Edition\NjRat Lime Edition 0.8.0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Users\Admin\Desktop\NjRat 0.7D\NjRat 0.7D.exe
"C:\Users\Admin\Desktop\NjRat 0.7D\NjRat 0.7D.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\Client.exe"
2⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C dotNET_Reactor.exe -file "C:\Users\Admin\Desktop\Client.exe" -admin 0 -shownagscreen 0 -showloadingscreen 0 -targetfile "C:\Users\Admin\Desktop\Client.exe" -antitamp 1 -compression 1 -control_flow_obfuscation 1 -flow_level 9 -nativeexe 0 -necrobit 1 -necrobit_comp 1 -prejit 0 -incremental_obfuscation 1 -obfuscate_public_types 1 -resourceencryption 1 -stringencryption 1 -antistrong 1
2⤵
PID:2392

C:\Users\Admin\Desktop\NjRat 0.7D\dotNET_Reactor.exe
dotNET_Reactor.exe -file "C:\Users\Admin\Desktop\Client.exe" -admin 0 -shownagscreen 0 -showloadingscreen 0 -targetfile "C:\Users\Admin\Desktop\Client.exe" -antitamp 1 -compression 1 -control_flow_obfuscation 1 -flow_level 9 -nativeexe 0 -necrobit 1 -necrobit_comp 1 -prejit 0 -incremental_obfuscation 1 -obfuscate_public_types 1 -resourceencryption 1 -stringencryption 1 -antistrong 1
3⤵
- Executes dropped EXE
PID:5920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\16fbb846-78a2-4f2c-89e4-bc1cb977a2e9.tmp
Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
25323bb9ad586702f0a9fd4b770340f7

SHA1
764bfdcca8447e2445e2f2a6b7a364999ddc1f2c

SHA256
3366f32194274144edba706cb75f0b19ccb7c10c85a24a7a3f5fe0b9c5725432

SHA512
ac9817b1dd025c882c00da69afe0d23b50f8ce56bc5dad68a79c6ef89b6de4bde9e5a141ea08ccfc3030c4c85a59c046a4b24cda52c34230d7cd8a6c1187c746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f7c6e858c674883f380c9aa34f8a0c43

SHA1
ebb0080ba1635264c075c640359dd2344d38b1f0

SHA256
6eb20321faf21c933ca350e8aa3695fafaa7d17a34aa80e918c59d7c1555cb0d

SHA512
47b304c987d14389dc22bc7ec77e3b3708c9c73e7092599166692abfeecc7446c9634496bf5ad2f8362f4f5d29eae9d2b1bff5a522ac0865c55fdf0017eb79ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
72d0a29ac44168ef83cef50a622d6095

SHA1
abb91d4be26c9177cdb812d13dcc9661e5c5c98b

SHA256
af1a0642b4643c8c5dfc73a5b7d7bf9d7849c8fac925d4c1c7e6651c488060f0

SHA512
9ee9761079b196fa8b913ccee29acf658ac076de592d73b99734d90468081aa6dec7f4ae911a3b0aad5c6fb4c54fcd40ef7b2274a3af4a770c4672118a402730

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il
Filesize
338KB

MD5
55b1980ba54260909d66b195bbba6d7a

SHA1
70d2470b1a44d5f71982a1fd25035792947f4af8

SHA256
2417dabc4ad44dfd12cd9c09edf8f7e0913f689d8bb044db7dfe445f6a0cd8a3

SHA512
9a0c14fc992baf09153157325fcdf7b38a028f7c663f4d709396073e9fb66d3008ec3fdfe0766e7ef5569025f151b4f82e9e70cdd8ee84f3c5c45d91924a3c30

Download Submit
C:\Users\Admin\Desktop\Client.exe
Filesize
30KB

MD5
207e8708807a6eccfadd6aecef08d317

SHA1
0ef72b9d81908965cb6ae932879b63d3792c4882

SHA256
61e9751b5510fed994be3fb616a02f7756525d0ca8897759a0defbbdcf2a9aab

SHA512
f66946589e2c810839f0756421dcd6b78aef8701c8808eea774ef72703b08ab52eaebbcd43c67f75e3e1e9a70631e991f345a65a248c3667abdb7f7224f1f241

Download Submit
C:\Users\Admin\Desktop\NjRat 0.7D\dotNET_Reactor.exe
Filesize
5.9MB

MD5
a7d69d6ddbe2586d698ebdf7f49c1afa

SHA1
7b87de25c982d0cc42a1dde89790cd34acbcfd2e

SHA256
79f190a51af8a463f13ddd5a76947cf7ba2adfb8e231b37c5e0968602217a62b

SHA512
2d4fb34f83d9794c38ec39f12f78b8d7c5af331aea475eaecf589f95c9e1849196a8d5252a7f9beaa596bb34ddc0c94b76a6c9092dc0fb93ec6b0af9fb66226e

Download Submit
\??\pipe\LOCAL\crashpad_4688_LVJGODYCTVFHZXDJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit