njrat | cce22fbe89d38e3717ac432f835b8c5b987e25594870da7d331ba0ad9d4fb8c9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe
Size

115KB
MD5

814443df281caaa8e1d747855eafcb30
SHA1

2eebd71c5c2e3e3f1eac51f4512bff023f64a042
SHA256

cce22fbe89d38e3717ac432f835b8c5b987e25594870da7d331ba0ad9d4fb8c9
SHA512

d1e70e8e24beb03d0269f9fb89eba7e2b2cd8cc9d68824c54123d045d911a873ea9c906d4ef9ae24c6acb3d8accb8bd5d63d3144bc8574f3d5651390f773fe5d
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLC:P5eznsjsguGDFqGZ2rDLC

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2872	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2160	chargeable.exe
2532	chargeable.exe
2488	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe
2812	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe"	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2532	2160	chargeable.exe	30
PID 2160 set thread context of 2488	2160	chargeable.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe
Token: 33	2532	chargeable.exe
Token: SeIncBasePriorityPrivilege	2532	chargeable.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2160	2812	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe	28
PID 2812 wrote to memory of 2160	2812	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe	28
PID 2812 wrote to memory of 2160	2812	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe	28
PID 2812 wrote to memory of 2160	2812	814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe	28
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2532	2160	chargeable.exe	30
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2160 wrote to memory of 2488	2160	chargeable.exe	29
PID 2532 wrote to memory of 2872	2532	chargeable.exe	31
PID 2532 wrote to memory of 2872	2532	chargeable.exe	31
PID 2532 wrote to memory of 2872	2532	chargeable.exe	31
PID 2532 wrote to memory of 2872	2532	chargeable.exe	31

C:\Users\Admin\AppData\Local\Temp\814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\814443df281caaa8e1d747855eafcb30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2488
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
fc1193c6345ac35188aa3de0f824ceb7

SHA1
8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f

SHA256
bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200

SHA512
480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
a660d8b8d5a686f2c362bcac133a4b81

SHA1
8b61638bed318c923c15a42fe89b7922104296f6

SHA256
2d14c3df8649a267003715a450c952feb093d847574159882c101cfc37b6d9e1

SHA512
035508eec633667799fb18554800f4d6ce4d1217bcf27d634351eba61e3d2702c3a1f153f56ec7aec00df3e9055a5767257fa45e7bd10121fd20dcf117f964c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4ae78002c45bf9b4959a74cd2bd2b50

SHA1
a335e33b5f6649ffba28877ad0141650d76baa1f

SHA256
5f234e9ff779bcfe1c45633ae81ddc9d3127d494f4185f69dc31f1f83c0cce0b

SHA512
aebd3e36999df351b4110f2bde46de3d3776cc39c52f7409bbc45887ede358a168a1bafd0aa2e7c1dce032ae4a40c8df5db1c544385e2e740a4d4ab720d943da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96c760858c7bf62e9b7612f0b9b15d68

SHA1
7814d0ff2d42394b7e5c29a1226234668b259e13

SHA256
bc5769e20b9b49956c7c1fefbc4b17dca4761593d37fd29b13ff638a8f73add4

SHA512
80aad8fcea064255b408d05cb51cbbc95d1f6d6750c2857a8c34e4554404762a89f8010f715dd36ee821391961fabcf0482cfeccb5e7c1e4760727918bcba790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb60cb329c314cace224686c8b246e5d

SHA1
ef79b4214c1e2496218b3c5d1882a3787a6c7cb9

SHA256
840cab278c9bab34d563438f1db555ec4633e32b64f0a32e9152896fe8d33e95

SHA512
f0a39175dc791c42cbdd865789df071b4daa8913a775fdbd1c171218b31b1386d6a332a45e5fedb59ee48edad5c606392e4706b22a37698dd8e3976857b53c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
454308ad477b1c6de324f23381071816

SHA1
3cb57c5d82ad953d1a98b2bbb5a12bd75be231f9

SHA256
f6a1b3312fca8a38dcc01b35e26faf9a5d14fde577a4c8fc97b32d35fdeedaa2

SHA512
094bdd20d37c5d02c0cfe168021795f6ff494d518d58c718ae4a5f832e1916018b211b1d6d503190717f5f3d4cc25ecad26b6bb5ec2234da015907bda48bb682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A7F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7AB1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8008.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
115KB

MD5
3eb78d5dc670082abf207829b5b3fcff

SHA1
788833430c72dd03f6b8a61d3618f399ecb030a3

SHA256
84dcaec6d1d240ff9195325a68e2f11be3358fab102b31b1c02e1cde2a9c04c7

SHA512
c724114e4a2e0baa411d23dcd8135e0add6f1acec9e2e5661966c61d29917a66de86443278c6c2c97ed82de21bae115d58202e2ae72c7e03209dfe91c3605a11

Download Submit
memory/2532-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2532-371-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2532-370-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2812-197-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-0-0x00000000743C1000-0x00000000743C2000-memory.dmp

Filesize
4KB

Download
memory/2812-2-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-1-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads