njrat | 67f5a1d87e47110e64fcfcececb506d2ee6b8e6fb046b0661a1bf2a85d7f89d2

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe
Size

1.8MB
MD5

9379f1e58d0d7f133e27cbfdf4710590
SHA1

0c254261ea17e08d01e8e49bb3d4cdf45220b074
SHA256

67f5a1d87e47110e64fcfcececb506d2ee6b8e6fb046b0661a1bf2a85d7f89d2
SHA512

ed97bbaccc82abfb75cdaaa892c52547a381f3e27e52c8b236cab504e1d40f8abc82e2b8423472f492c4be87cbb40d39898250158f7777970f1d1ac10ad66d1c
SSDEEP

12288:CxgVcc6Om524xhP5JJQPbtb3P1o0LlzyRRr5jdY/49eNs6PrZ9hDOILRwYG8etim:aO2K/a0hzy3cHoORwqetii6hsuiWY

Score

10^/10

njrat hacked evasion execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED

keuik2.ddns.net:1605

Mutex

5d34b6a4d3272cf71d9bb09e5bf002e2

Attributes

reg_key
5d34b6a4d3272cf71d9bb09e5bf002e2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2448	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d34b6a4d3272cf71d9bb09e5bf002e2.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d34b6a4d3272cf71d9bb09e5bf002e2.exe	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2216	Encrypt.exe
2616	LoLAccountChecker.exe
2492	explorer.exe
2956	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe
1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe
1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe
2592	powershell.exe
2492	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\5d34b6a4d3272cf71d9bb09e5bf002e2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5d34b6a4d3272cf71d9bb09e5bf002e2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeIncBasePriorityPrivilege	2956	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2216	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2216	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2216	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2216	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	28
PID 1608 wrote to memory of 2616	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	29
PID 1608 wrote to memory of 2616	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	29
PID 1608 wrote to memory of 2616	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	29
PID 1608 wrote to memory of 2616	1608	9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2592	2216	Encrypt.exe	30
PID 2216 wrote to memory of 2592	2216	Encrypt.exe	30
PID 2216 wrote to memory of 2592	2216	Encrypt.exe	30
PID 2216 wrote to memory of 2592	2216	Encrypt.exe	30
PID 2616 wrote to memory of 2816	2616	LoLAccountChecker.exe	32
PID 2616 wrote to memory of 2816	2616	LoLAccountChecker.exe	32
PID 2616 wrote to memory of 2816	2616	LoLAccountChecker.exe	32
PID 2592 wrote to memory of 2492	2592	powershell.exe	33
PID 2592 wrote to memory of 2492	2592	powershell.exe	33
PID 2592 wrote to memory of 2492	2592	powershell.exe	33
PID 2592 wrote to memory of 2492	2592	powershell.exe	33
PID 2492 wrote to memory of 2956	2492	explorer.exe	34
PID 2492 wrote to memory of 2956	2492	explorer.exe	34
PID 2492 wrote to memory of 2956	2492	explorer.exe	34
PID 2492 wrote to memory of 2956	2492	explorer.exe	34
PID 2956 wrote to memory of 2448	2956	explorer.exe	35
PID 2956 wrote to memory of 2448	2956	explorer.exe	35
PID 2956 wrote to memory of 2448	2956	explorer.exe	35
PID 2956 wrote to memory of 2448	2956	explorer.exe	35

C:\Users\Admin\AppData\Local\Temp\9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9379f1e58d0d7f133e27cbfdf4710590_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Roaming\Encrypt.exe
  "C:\Users\Admin\AppData\Roaming\Encrypt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden (Start-Process -FilePath $env:Temp\explorer.exe)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Users\Admin\AppData\Roaming\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\explorer.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2448
- C:\Users\Admin\AppData\Roaming\LoLAccountChecker.exe
  "C:\Users\Admin\AppData\Roaming\LoLAccountChecker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2616 -s 640
    3⤵
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
23KB

MD5
81e1406ca01e0d1105191b8688dab29c

SHA1
8283103713a4eb9547fdf064e39666592f3ca996

SHA256
069bda4017024ec9a256b35368eea1adb78c5f8217539b1d53a5524d95ea149e

SHA512
3083ed940d87b752d215643d5de9662520e096cfea635db0e118cfe0abbb08eed97c5e29e4a786555ba4f824792fdfc7bc881fdc177f97a76b3b28ca7cff3f70

Download Submit
C:\Users\Admin\AppData\Roaming\Encrypt.exe

Filesize
80KB

MD5
692a64e9c0aec02722f6e522f567f4da

SHA1
c3e759a854ef38f4a94422d4f522878b1a7e447a

SHA256
574ffc835aaf913a40951304f5d9e034eab3774f9310fbcbaf59af65c9598249

SHA512
559a84026301f45771fed43057cc20f8765ad9d21b5d0904254eccb576ee9214e9adfbd0b1896cc84478db7b796831fe616f606a30f8273ea3bf9782ec19d719

Download Submit
\Users\Admin\AppData\Roaming\LoLAccountChecker.exe

Filesize
1.5MB

MD5
dfededea097d7689a15aec74f30c06d9

SHA1
95465cbe611634e1b9c8cf375a3c162ab581e987

SHA256
5bbca0556d6c3f8da0f92c2dad1a8d1f771c89cedaa1a90c3b8e54117c056188

SHA512
9a06d496973fd60a67eceeae0b679c82d8f4c65b163c58c4da51692c21720fa6978ccb06e68b1921cdf193cf7f466668947169ad0d88c7ff3001dbb1996b8833

Download Submit
memory/2216-19-0x0000000074671000-0x0000000074672000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-22-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-24-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-18-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/2616-20-0x0000000000A60000-0x0000000000BF0000-memory.dmp

Filesize
1.6MB

Download