njrat | 2ad2a247d15a5b5595db3644cea5c838fb3460d9c7622fbbef912d1e54dc3060

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a2d543011727dddf9b75d7675d3de70N.exe
Size

5.1MB
MD5

0a2d543011727dddf9b75d7675d3de70
SHA1

b27b6da3908efa55898b3cd1dc770c600ff0b280
SHA256

2ad2a247d15a5b5595db3644cea5c838fb3460d9c7622fbbef912d1e54dc3060
SHA512

75e035f29eb55c80a6262a4c2822273795b81cd876709b270382bb1b8c57b6e60d5152098b2549b27fa624ac22b3f99c008c88b83f8aee3445e0fc844e4085f0
SSDEEP

98304:DQOdMiEsjIexzgpsfL/bR/h2ZGZLqxCrNw1tesWe/sURukuUL4HsZj8:sO5jLJL/blh2ZWiCrNw1tr/jRukucKL

Score

10^/10

njrat user(x)discovery evasion persistence privilege_escalation trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

User(X)

46.23.144.12:1666

cs1600.ddns.net:1666

Mutex

a9e72fe2262cb71e419427313b65a98f

Attributes

reg_key
a9e72fe2262cb71e419427313b65a98f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3552	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0a2d543011727dddf9b75d7675d3de70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	SazInject0r.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e72fe2262cb71e419427313b65a98f.exe	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e72fe2262cb71e419427313b65a98f.exe	Runtime Broker.exe

Executes dropped EXE 3 IoCs

pid	Process
3204	fmbpPUyvQMw2PQo.exe
3192	SazInject0r.exe
3464	Runtime Broker.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0008000000023439-10.dat	vmprotect
behavioral2/memory/3204-44-0x00000000005E0000-0x0000000000E00000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a9e72fe2262cb71e419427313b65a98f = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a9e72fe2262cb71e419427313b65a98f = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe\" .."	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fmbpPUyvQMw2PQo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SazInject0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3552	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3636	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0a2d543011727dddf9b75d7675d3de70N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	0a2d543011727dddf9b75d7675d3de70N.exe
4636	0a2d543011727dddf9b75d7675d3de70N.exe
4636	0a2d543011727dddf9b75d7675d3de70N.exe
3204	fmbpPUyvQMw2PQo.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe
3464	Runtime Broker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3464	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	0a2d543011727dddf9b75d7675d3de70N.exe
Token: SeDebugPrivilege	3204	fmbpPUyvQMw2PQo.exe
Token: SeDebugPrivilege	3464	Runtime Broker.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe
Token: 33	3464	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3464	Runtime Broker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3204	fmbpPUyvQMw2PQo.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3204	fmbpPUyvQMw2PQo.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 3204	4636	0a2d543011727dddf9b75d7675d3de70N.exe	85
PID 4636 wrote to memory of 3204	4636	0a2d543011727dddf9b75d7675d3de70N.exe	85
PID 4636 wrote to memory of 3204	4636	0a2d543011727dddf9b75d7675d3de70N.exe	85
PID 4636 wrote to memory of 3192	4636	0a2d543011727dddf9b75d7675d3de70N.exe	87
PID 4636 wrote to memory of 3192	4636	0a2d543011727dddf9b75d7675d3de70N.exe	87
PID 4636 wrote to memory of 3192	4636	0a2d543011727dddf9b75d7675d3de70N.exe	87
PID 3192 wrote to memory of 3464	3192	SazInject0r.exe	88
PID 3192 wrote to memory of 3464	3192	SazInject0r.exe	88
PID 3192 wrote to memory of 3464	3192	SazInject0r.exe	88
PID 3464 wrote to memory of 3552	3464	Runtime Broker.exe	89
PID 3464 wrote to memory of 3552	3464	Runtime Broker.exe	89
PID 3464 wrote to memory of 3552	3464	Runtime Broker.exe	89
PID 3464 wrote to memory of 3636	3464	Runtime Broker.exe	91
PID 3464 wrote to memory of 3636	3464	Runtime Broker.exe	91
PID 3464 wrote to memory of 3636	3464	Runtime Broker.exe	91

C:\Users\Admin\AppData\Local\Temp\0a2d543011727dddf9b75d7675d3de70N.exe
"C:\Users\Admin\AppData\Local\Temp\0a2d543011727dddf9b75d7675d3de70N.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\fmbpPUyvQMw2PQo.exe
  "C:\Users\Admin\AppData\Local\Temp\fmbpPUyvQMw2PQo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\SazInject0r.exe
  "C:\Users\Admin\AppData\Local\Temp\SazInject0r.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" "Runtime Broker.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Time Discovery
      PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM SecurityHealthService.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SazInject0r.exe

Filesize
37KB

MD5
67a4c2acda8c1348429ec9e0ad5af8b3

SHA1
1c655c5fc97f3a19d90e35366901625976d29a93

SHA256
427e5fd0a2ef91d4dc28ee1443b42969c662829113e19baf3f1fd6b443b50f8d

SHA512
fdd32a66b85c3fc3858539a4f07adab1c896d056f44afedce8f75066769ab341706aed44f38c321746ac36b0f866aacf8705f6cdf32ec852e453c9cc0410c04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmbpPUyvQMw2PQo.exe

Filesize
5.3MB

MD5
9d187e4d0bad6e025578d0b69b476a5b

SHA1
a49ebd7d27c8110cedc9a1b6fd96a84095972750

SHA256
a22fe41806d8c6239765c70925910fc321c9509e2b865a563ccd48006ca2bb85

SHA512
61aea9701304d18151ff76619bba81915346e6ce5f2185a13d3a42dec8d204cee59a380fbf6ba50eb80763bde021357b39f185cc83e47f54967a1b7ab9eb9d8d

Download Submit
memory/3192-53-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/3204-44-0x00000000005E0000-0x0000000000E00000-memory.dmp

Filesize
8.1MB

Download
memory/3204-43-0x000000007502E000-0x000000007502F000-memory.dmp

Filesize
4KB

Download
memory/3204-55-0x000000000A190000-0x000000000A734000-memory.dmp

Filesize
5.6MB

Download
memory/3204-56-0x0000000009C80000-0x0000000009D12000-memory.dmp

Filesize
584KB

Download
memory/3204-57-0x0000000009D40000-0x0000000009D4A000-memory.dmp

Filesize
40KB

Download
memory/4636-4-0x00007FFA8C640000-0x00007FFA8D101000-memory.dmp

Filesize
10.8MB

Download
memory/4636-5-0x00007FFA8C640000-0x00007FFA8D101000-memory.dmp

Filesize
10.8MB

Download
memory/4636-3-0x00007FFA8C640000-0x00007FFA8D101000-memory.dmp

Filesize
10.8MB

Download
memory/4636-2-0x00007FFA8C640000-0x00007FFA8D101000-memory.dmp

Filesize
10.8MB

Download
memory/4636-0-0x00007FFA8C643000-0x00007FFA8C645000-memory.dmp

Filesize
8KB

Download
memory/4636-1-0x00000000003C0000-0x00000000008DC000-memory.dmp

Filesize
5.1MB

Download
memory/4636-54-0x00007FFA8C640000-0x00007FFA8D101000-memory.dmp

Filesize
10.8MB

Download