njrat | f5d0b4c0ae4b1410fad3cdd51927d4597a8ce8fc4711ce221e2f6f4861d90eb9

General

Target

0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
Size

5.7MB
MD5

0bbb931a074cedbe1f6ccb5e57eb9940
SHA1

7572e21383c936466554f23ab820d0f971b7b459
SHA256

f5d0b4c0ae4b1410fad3cdd51927d4597a8ce8fc4711ce221e2f6f4861d90eb9
SHA512

92eee60e6aed78e25a237ef48a5667b3c0a954ea0d75299d0f1bccc62d236187b4fc31a8aa4e15d2a9d9b26ab80a4fcf064a93d576fca32d73bc7058e1258646
SSDEEP

98304:k887H6P2uW5MI079g+DgeFahftplflf6dUwOEH6d8e6b0+hLVy9SkAMS:k8aH6eL2V76+DgTNfwZHYY1/YSh1

Score

10^/10

njrat nvidia evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

nvidia

C2

kids-notified.at.ply.gg:3845

Mutex

565c7299a2f18977caf93e5da2f7e3c1

Attributes

reg_key
565c7299a2f18977caf93e5da2f7e3c1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4996 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

INST.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation INST.exe

pid	process
4996	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	INST.exe

Drops startup file 2 IoCs

Processes:

nvidia.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\565c7299a2f18977caf93e5da2f7e3c1.exe	nvidia.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\565c7299a2f18977caf93e5da2f7e3c1.exe	nvidia.exe

Executes dropped EXE 2 IoCs

Processes:

INST.exenvidia.exe

pid process

5064 INST.exe
1308 nvidia.exe
Loads dropped DLL 2 IoCs

Processes:

0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe

pid process

3432 0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
3432 0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe

pid	process
5064	INST.exe
1308	nvidia.exe

pid	process
3432	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
3432	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nvidia.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\565c7299a2f18977caf93e5da2f7e3c1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\nvidia.exe\" .."	nvidia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\565c7299a2f18977caf93e5da2f7e3c1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\nvidia.exe\" .."	nvidia.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

nvidia.exe

description	ioc	process
File created	C:\autorun.inf	nvidia.exe
File opened for modification	C:\autorun.inf	nvidia.exe
File created	D:\autorun.inf	nvidia.exe
File created	F:\autorun.inf	nvidia.exe
File opened for modification	F:\autorun.inf	nvidia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

nvidia.exe

description	pid	process
Token: SeDebugPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe
Token: 33	1308	nvidia.exe
Token: SeIncBasePriorityPrivilege	1308	nvidia.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.execmd.exeINST.exenvidia.exe

description	pid	process	target process
PID 1564 wrote to memory of 3432	1564	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
PID 1564 wrote to memory of 3432	1564	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
PID 3432 wrote to memory of 3164	3432	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 3164	3432	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 2900	3432	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 2900	3432	0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe	cmd.exe
PID 2900 wrote to memory of 5064	2900	cmd.exe	INST.exe
PID 2900 wrote to memory of 5064	2900	cmd.exe	INST.exe
PID 2900 wrote to memory of 5064	2900	cmd.exe	INST.exe
PID 5064 wrote to memory of 1308	5064	INST.exe	nvidia.exe
PID 5064 wrote to memory of 1308	5064	INST.exe	nvidia.exe
PID 5064 wrote to memory of 1308	5064	INST.exe	nvidia.exe
PID 1308 wrote to memory of 4996	1308	nvidia.exe	netsh.exe
PID 1308 wrote to memory of 4996	1308	nvidia.exe	netsh.exe
PID 1308 wrote to memory of 4996	1308	nvidia.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0bbb931a074cedbe1f6ccb5e57eb9940_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Roaming\nvidia.exe
"C:\Users\Admin\AppData\Roaming\nvidia.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\nvidia.exe" "nvidia.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
37KB

MD5
6e1d6b895a2fdcd7829b62f90195ed37

SHA1
b2e9bd7ce8ee786eb0b3dbd3165df2edfb1cea87

SHA256
aabe818eb50d5edfe01bd4ee79a3a61e5d25ffb55fbd187388ec51faf34a0871

SHA512
1d8c2a49f049fe641abdaaa35e9cc9b7d8fbfdd3c15db67a576c09b3e41ad787aa927299c07e03733879da235ca9650421e34607a16dd909aab3e7ee46e78c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15642\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15642\base_library.zip
Filesize
1.0MB

MD5
8990ffed478799973e5dcd802405ebec

SHA1
d544b384b2da891fcdebd865ec20998945b6fbc2

SHA256
dc3af37f01115a5db58649c3b1415fabf6e98e5f86bd7855e7640bd6b3f45f49

SHA512
b5dfe7d225cace9434e2f5c174350736f7340d30c7547d7b6da7ebffcb426ca70c70819eaa32f86b68185d4b86813064a3c3b2708f681995ace9f2a3d525fdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15642\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
memory/1308-35-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-36-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-47-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-57-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-22-0x0000000075222000-0x0000000075223000-memory.dmp

Filesize
4KB

Download
memory/5064-23-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-24-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-34-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads