njrat | c0455d54c58449c1cb2a5e180d5cf4957f6de9117c4a7ae57c943cf62c3296cc

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe
Size

115KB
MD5

79cf7560b7c62a56499d67d4ed3aaf90
SHA1

b667a1fbaca0227513f75c6a7b7916f1d5f77857
SHA256

c0455d54c58449c1cb2a5e180d5cf4957f6de9117c4a7ae57c943cf62c3296cc
SHA512

ee71a09d09dc4780ac18243f28fd8a99c56e6df1fa33f0e1bd215f5499e0952cdbf44116b8dfde54fd5c09d781430a63490b75e9495811fb27750e093bc7cdb8
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIAC:P5eznsjsguGDFqGZ2rDIp

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2660 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

chargeable.exechargeable.exechargeable.exe

pid process

1748 chargeable.exe
2508 chargeable.exe
2548 chargeable.exe
Loads dropped DLL 2 IoCs

Processes:

79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe

pid process

1688 79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe
1688 79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe

pid	process
2660	netsh.exe

pid	process
1748	chargeable.exe
2508	chargeable.exe
2548	chargeable.exe

pid	process
1688	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe
1688	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe"	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

chargeable.exe

description	pid	process	target process
PID 1748 set thread context of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 set thread context of 2548	1748	chargeable.exe	chargeable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe
Token: 33	2508	chargeable.exe
Token: SeIncBasePriorityPrivilege	2508	chargeable.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exechargeable.exechargeable.exe

description	pid	process	target process
PID 1688 wrote to memory of 1748	1688	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe	chargeable.exe
PID 1688 wrote to memory of 1748	1688	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe	chargeable.exe
PID 1688 wrote to memory of 1748	1688	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe	chargeable.exe
PID 1688 wrote to memory of 1748	1688	79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2508	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 1748 wrote to memory of 2548	1748	chargeable.exe	chargeable.exe
PID 2508 wrote to memory of 2660	2508	chargeable.exe	netsh.exe
PID 2508 wrote to memory of 2660	2508	chargeable.exe	netsh.exe
PID 2508 wrote to memory of 2660	2508	chargeable.exe	netsh.exe
PID 2508 wrote to memory of 2660	2508	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79cf7560b7c62a56499d67d4ed3aaf90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2548
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
7b6123810770fdb38c0bf9fbb124070b

SHA1
11389801abf34b1a3627bc9573908ca2ed3d29c6

SHA256
e8cb4a529670b1a2f5d6a5db993f4e858e48e9f79b7c5cd48c4c3313244a68ed

SHA512
70d62a6aa2cda0d2112c4bfa4af6d092b72a97f94ced8ea76ce211bd2cb676759afeaef3157523250975444729b5c5ec04fa76a2fc1d00848c905d5e6091fabf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea4e80ef090c3c9b74025a4fff53b860

SHA1
775b5e7973edfd6a5e0d5c5600cb35f0862e503a

SHA256
ce6a9e592d27c8ef675d1e97317c83881607010839bd3f0c0cd354e29c6c867a

SHA512
271b4677c19f1f03c913df9a266319a40890c68ffccc7dc72498d3d7fb6bfcd43bb9983bfebefc2c89924692eb7cee3e570dcc2519fbc00e2c60b4d0506970bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d81df9a4c6eb554c2afe14ad8a4dad1

SHA1
07db1097c6928b600a517e64db5f2170460513f5

SHA256
6547de7b35cdfb6b14464eb3b4592ecef82046cc57bf95d0b738c7722fb24cad

SHA512
e4abe2c87ccc39ee23d69dc96026ad0d64e2f4ea52f5739e08a802f6260122f8cd32c9d9b1038e554486b5c0f4a7cd33d327c9e1e7cdd21e5b76c009ec52eedd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8221f26aa0a98b31ec0a9dcaa7445d3

SHA1
fa7ef860a7f752f9450515f3ac764869337bf717

SHA256
bf2fc8aa663dcaab7035b2396ed1d5e17c695ea599e256cf38240cc85578f8dc

SHA512
ade8568ab3a8bf7cdab54d162ee1c7a5710afd6dddb59e3b6876036359a777f6c42fe6f88b54340f1ab1a620419ae58a4ea5d1c5982f1c5c77a91f190044ee59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
cb11101db3911552f924464b1c9d198e

SHA1
02f8f5649235d1e15b5896f37d0e08749a7c1cae

SHA256
5a832cc913e11d446f93d1130b5bb0886bdd3fd4e90de7d14c88008d0d025508

SHA512
569e84f2b9501f6ff77dd38a5630d19ef9526e86cd020d7d3b63e1f045e922002be41d12bd3879650e117e5f5614ab80bc5e62d55319f7e68eb3d87823684edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8EE9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F1B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar92BD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
115KB

MD5
5c915d1f48803310d4dfa83db757f20b

SHA1
9b5373e35d6223a02291d85691e992e3684eaa65

SHA256
79a209aeedf8543bf87cd31c5d525c64140995d4194808f4f3d4b7dd8899b256

SHA512
d32f688197f934d4ee3e07bc042b37d8cffe132850b28e142273fce3fa0b22fd1c8fffbdb2e54e7b05b4cf67ded88d07e4fa9752fc526a451dbead63291ed5a0

Download Submit
memory/1688-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-196-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-370-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2508-369-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2508-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download