njrat | 36156d4d1ba4aa29477da7508691d54ea512e21ded3c42e7f5a9adef250d2bf8

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe
Size

114KB
MD5

5c82ffc0a5a0321346564522f939b8c0
SHA1

d5b28a1cbc4e1493140b7147f50c1489415e0ade
SHA256

36156d4d1ba4aa29477da7508691d54ea512e21ded3c42e7f5a9adef250d2bf8
SHA512

b33d4a73796473eabb8bdfd53bbc95538ad1a57051e3c626ce7d631a1d7bfdb89242d3e700db4026585ec1e5a5501e61c8625df0037d7b3de8efdc44da542b57
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6h:P5eznsjsguGDFqGZ2rih

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2688	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2996	chargeable.exe
2848	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe
1848	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe"	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2848	2996	chargeable.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe
Token: 33	2848	chargeable.exe
Token: SeIncBasePriorityPrivilege	2848	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2996	1848	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe	28
PID 1848 wrote to memory of 2996	1848	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe	28
PID 1848 wrote to memory of 2996	1848	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe	28
PID 1848 wrote to memory of 2996	1848	5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe	28
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2996 wrote to memory of 2848	2996	chargeable.exe	29
PID 2848 wrote to memory of 2688	2848	chargeable.exe	30
PID 2848 wrote to memory of 2688	2848	chargeable.exe	30
PID 2848 wrote to memory of 2688	2848	chargeable.exe	30
PID 2848 wrote to memory of 2688	2848	chargeable.exe	30

C:\Users\Admin\AppData\Local\Temp\5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5c82ffc0a5a0321346564522f939b8c0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
d5a17cf251652e281822f4b469c6c4d2

SHA1
6011acce1111c366186071622719ffe79e58b476

SHA256
977fb10a3d26acb2b8c1c1050612feabe659999ced25e96a902739f4a5ac226b

SHA512
415d050c2f103076fa164ab3470d482ec6aee60cc3b2a7781881b2e0f5f4be619377e61874aee63bad4dcf0f2a03ad2be5c7b7b9b7e51d033e65247c0bd7173f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5b36d29f311a1ddbcdfcacb23d43e13

SHA1
d29662c19f7b8b1d1723fb782642f684faf51e60

SHA256
f00d4ada7fd7be7f9a4b95feef688dc3654db12d5f95369b5eb2da0e8d71b61f

SHA512
0756faffbb6bf75b42b4467326c6e449ba85441e33f45cb31c30d5bafa914a4bff994bb0e36638dbf42d09b7ced73aeebde6b33e2c2162591cd10ddb74477664

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b547e5d80bb6db811fcb0701badab2d4

SHA1
78d0442a040e944838c9de9997aed91f1f6ccb16

SHA256
7421959831ca7efa7246d11dcea7882beafdc714ebb23bde2e66a48abfe74aa5

SHA512
12ab315facba0d40f115411013b9343fef66ece927648cf5bef0b06c20067ea900daf5eb3af22ce01f85a7a1409a12e64165d77d387790271edb8d5a20ae43cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d0e22b3a150d54410c35635c8635ce9

SHA1
48b887512ef4704122842e012e0e87c898562862

SHA256
9ce5947608987c47068a369225a67f0f0229b25c48915accf8303eadc2e1dfd5

SHA512
6f5f5561876e8bcb9cc8073e7868523a2ff5a59d3c054b86e3bc63fcf6dec41bc4a68f4c891321be049bb6911f9092aea9abf291ad8e76381e62ad22ec283c64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
c1fffdc2f0e85b1e6964cf099c218457

SHA1
fe52237c9948cd2aafe9907ce156b70081e87385

SHA256
34936b9e4f15c02b0b8e8eaf0614a75d6b6629d762b83f389e91505a2424ab64

SHA512
7e13a401e62971b281775e2655029e37616c66cf0dd4b55d204452256b9a9f5d39ceda696dd9452cb19ca6f35329b975793354436afd62bd41968111d04919c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
83b51d9894d85fb4058e6cace99bc305

SHA1
831729b384f8242169936d7f1fb19943e39dcbd0

SHA256
809f4bfcad2f7f55e0b2f01b6d7c528775b0b8d49aa7585030eac4cd03bcc152

SHA512
9f768628677af9f34448d886a0a6f01bfe542bd173dca774e49c83f6e26b6ae3aa3b6bf326a3dd436ce9faf1aa78f6558e4177e5c483024752e746bdef4bb07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC17.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
114KB

MD5
fab16040b96ec34f0dc2a8d73b321856

SHA1
6fca9b458a7231ac732a28029d04d5e8f15ae957

SHA256
94a8ba1ca677f21188d25c354f5a1b0c500631ac76d1477184b99cf0695a208d

SHA512
b4f3ab98878a0c22fdb834cc42500da82f14f52b70c5491b8c2eede062eb1a240a2882e499b1be05482da27fb9169d0bf69bbfa99d594bc3f9c1d9e7a05f4db8

Download Submit
memory/1848-192-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1848-0-0x00000000740A1000-0x00000000740A2000-memory.dmp

Filesize
4KB

Download
memory/1848-2-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1848-1-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-363-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2848-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2848-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads