njrat | 2df06e36c5ad2a9beb07314aeb097840f3bf23ff9ac446e6f20d8cab6af61623

General

Target

57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe
Size

863KB
MD5

57332dd2990412c36e6bbec8105a5170
SHA1

1fa1d2d628e437c403a26d69691f0232e0638eb3
SHA256

2df06e36c5ad2a9beb07314aeb097840f3bf23ff9ac446e6f20d8cab6af61623
SHA512

9d466327e39082706fc19dae9567e142c1d09f6105c0dd419523a0a739dbf567b005ac1e4c946a660e71ae11a7bf0e0ae73c9399d9ca7b943589c3e9a1b62507
SSDEEP

12288:a4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaT7mWwq9MmCS:a4lavt0LkLL9IMixoEgea//wq9MmCS

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3692 netsh.exe

pid	process
3692	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe6426.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6426.exe

Executes dropped EXE 2 IoCs

Processes:

6426.exeserver.exe

pid process

4868 6426.exe
4796 server.exe

pid	process
4868	6426.exe
4796	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe
Token: 33	4796	server.exe
Token: SeIncBasePriorityPrivilege	4796	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe6426.exeserver.exe

description	pid	process	target process
PID 3032 wrote to memory of 4868	3032	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe	6426.exe
PID 3032 wrote to memory of 4868	3032	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe	6426.exe
PID 3032 wrote to memory of 4868	3032	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe	6426.exe
PID 4868 wrote to memory of 4796	4868	6426.exe	server.exe
PID 4868 wrote to memory of 4796	4868	6426.exe	server.exe
PID 4868 wrote to memory of 4796	4868	6426.exe	server.exe
PID 4796 wrote to memory of 3692	4796	server.exe	netsh.exe
PID 4796 wrote to memory of 3692	4796	server.exe	netsh.exe
PID 4796 wrote to memory of 3692	4796	server.exe	netsh.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57332dd2990412c36e6bbec8105a5170_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032
- C:\Users\Admin\AppData\Local\Temp\6426\6426.exe
  "C:\Users\Admin\AppData\Local\Temp\6426\6426.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6426\6426.exe

Filesize
23KB

MD5
afd75e2e0d6528f8bb57aeebe56ce500

SHA1
111cf1cd74b5f291412f093600715e17664cc01e

SHA256
f7801590d6ee9586c79eec679b7223a5ea7d1f395ff862c5677abe38b444e9b0

SHA512
e992570eac1783e90481143a801fb27a669f073dd504440e38d312604779c6760220f380b546a7153d1a05dbc61a5b93c6ee8f1ee7abc0a3c6d6009747e6ab29

Download Submit
memory/4796-22-0x0000000073800000-0x0000000073DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4796-23-0x0000000073800000-0x0000000073DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-9-0x0000000073802000-0x0000000073803000-memory.dmp

Filesize
4KB

Download
memory/4868-10-0x0000000073800000-0x0000000073DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-11-0x0000000073800000-0x0000000073DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-21-0x0000000073800000-0x0000000073DB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads