njrat | 2e9983832a19f9b6dc791f57bff464dc53aa27d318e2b7a81bfc13fc1f579e09

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e1ddb3ded2f795c2c3c2badbac73370N.exe
Size

115KB
MD5

9e1ddb3ded2f795c2c3c2badbac73370
SHA1

f5940b9df3d2d1f2335e6374aaed7dc7d27213ad
SHA256

2e9983832a19f9b6dc791f57bff464dc53aa27d318e2b7a81bfc13fc1f579e09
SHA512

6abde93ff7e97e250248a783740d7675f5689227c9dd0a3da0e5fbcdf84992ca3c64d80ee2745f1c87eaba826ea889075ad6d2d9366b48a80e705c5b0785d4df
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDX:P5eznsjsguGDFqGZ2rDX

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2696	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	chargeable.exe
2688	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	9e1ddb3ded2f795c2c3c2badbac73370N.exe
2640	9e1ddb3ded2f795c2c3c2badbac73370N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	9e1ddb3ded2f795c2c3c2badbac73370N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e1ddb3ded2f795c2c3c2badbac73370N.exe"	9e1ddb3ded2f795c2c3c2badbac73370N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2688	2448	chargeable.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e1ddb3ded2f795c2c3c2badbac73370N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe
Token: 33	2688	chargeable.exe
Token: SeIncBasePriorityPrivilege	2688	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2448	2640	9e1ddb3ded2f795c2c3c2badbac73370N.exe	30
PID 2640 wrote to memory of 2448	2640	9e1ddb3ded2f795c2c3c2badbac73370N.exe	30
PID 2640 wrote to memory of 2448	2640	9e1ddb3ded2f795c2c3c2badbac73370N.exe	30
PID 2640 wrote to memory of 2448	2640	9e1ddb3ded2f795c2c3c2badbac73370N.exe	30
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2448 wrote to memory of 2688	2448	chargeable.exe	32
PID 2688 wrote to memory of 2696	2688	chargeable.exe	33
PID 2688 wrote to memory of 2696	2688	chargeable.exe	33
PID 2688 wrote to memory of 2696	2688	chargeable.exe	33
PID 2688 wrote to memory of 2696	2688	chargeable.exe	33

C:\Users\Admin\AppData\Local\Temp\9e1ddb3ded2f795c2c3c2badbac73370N.exe
"C:\Users\Admin\AppData\Local\Temp\9e1ddb3ded2f795c2c3c2badbac73370N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
e7122c733f9e37bba0ca4c985ce11d6d

SHA1
d661aa5b31ff7ef2df9bc4095279058c36499af2

SHA256
acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

SHA512
84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
732cfeb76b91c4d13978a00b8c666ed7

SHA1
0c57f76436701f4d51397d1d4e86337dd9ab1964

SHA256
9fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2

SHA512
2b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
fe1baa2a3c99a4c5fa3af6d80b9e1366

SHA1
818326ede519175b81d5f9f64a82caba4823ea26

SHA256
2dc9b20efad5b3bb670bcaa98ce989dd8bb0cbecdb945c590556a54a0b4da2ba

SHA512
038f29352ddac294660f63ba50d0c154db454ffda9141fbf2335b55c21613d3e5aafc0f6890d392eb89a971186e3c5f0eb0a32cfcad29759ac742eb49031bae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e97b589d776b5132d626909f42c490d

SHA1
cc2596aad9c75eeb8f71c8a253f66b62ef9824c7

SHA256
ee08be420969a854d9647711cac55d3d3efe801aa3bfd9fe55ab8d364b37146f

SHA512
ce28fde28c2ccf05024b583ec6c4f153dabd324184372ab6192a6ad16fe3a43845886f30a09cb588f20dbb3ded2fe75186364faeb6827386e17be1f8d6068ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a947b7413d75b5ba10075b06d854689

SHA1
0dd55b6f3d579b0751d75f3b71efb76ef8eca6b7

SHA256
b6cd18ebd5463e50c6edf803935c2861ebc36c722103ce8e54d7712aecd4460f

SHA512
982b045e66c5f937f7d701558eea83039641a29a91ddce0de76748f4b7d39bce36e6548eeadb3b85a045de0669d750ebb2d113ff60c8c126533383dd8eadc1ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fedab9084c52acb08a532727d2f866b2

SHA1
811122a4db8f9e625336cc57d4ada3cd22ef1025

SHA256
aef9bf7b966face9228c89f8c0a4cb712051b70a06b351dbdcdd1b535c9cbdc4

SHA512
e58de4f27a12965fa27c155cb88efa0040c507f53992c4f05ff10f9f14fdebb48c8520c47c6b5178d5c329a2fd667631be8306b02e0b2c75f52691d1f38237bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
6c674ef9d52f4903ecf436d6c61ac82c

SHA1
b25266e3dce443b57ae408661478c12e211f8883

SHA256
7631bb9f55505b265ebb51b40fdfb153eaf5484412f5a5a541cf0233b1337b96

SHA512
bd0178a23051f2b60c5996db9c9a4e043f985ed0ce9773fac154782ec5319254e8570349bfca5a00513c0310f4074efd2b34425ec1b00db4467475842f1e1c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9BD4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9BF6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
115KB

MD5
677ac9ea0fbccfd91d6647e87cdfc741

SHA1
7a03165149723cd759375e5d9d084b8cb1aafd63

SHA256
c6f6aef710e41a2f22cb091f7b1682ca4df710c436ec168d56813de5eae748b6

SHA512
25efc8638734f2fe95e7cfc1159cef131ebd68276da1e76423c7056a8f09a37a2f8e9ae2b6de5e1e7332232067ead98ad880f3d11f84987b49e9447fa6f3175b

Download Submit
memory/2640-188-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-169-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-0-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-351-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2688-350-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2688-348-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads