njrat | 560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9da

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe
Size

117KB
MD5

0b7153383aea7358893fb4738d2fb930
SHA1

74b77042b0e7a5c75a94d28c189f9af9c4aa0ffa
SHA256

560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9da
SHA512

c59590a721af835e913fbeb5debc446541c4dba06b4aec3080730bf960254b84e140367c5f3397f3f30fea5b3d93a947bba7867b6288c7efe9c8469a18f49f98
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLWS:P5eznsjsguGDFqGZ2rDLt

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2904	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	chargeable.exe
2708	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe
2328	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe"	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2708	2224	chargeable.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe
Token: 33	2708	chargeable.exe
Token: SeIncBasePriorityPrivilege	2708	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2224	2328	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe	31
PID 2328 wrote to memory of 2224	2328	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe	31
PID 2328 wrote to memory of 2224	2328	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe	31
PID 2328 wrote to memory of 2224	2328	560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe	31
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2224 wrote to memory of 2708	2224	chargeable.exe	32
PID 2708 wrote to memory of 2904	2708	chargeable.exe	33
PID 2708 wrote to memory of 2904	2708	chargeable.exe	33
PID 2708 wrote to memory of 2904	2708	chargeable.exe	33
PID 2708 wrote to memory of 2904	2708	chargeable.exe	33

C:\Users\Admin\AppData\Local\Temp\560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe
"C:\Users\Admin\AppData\Local\Temp\560bb32f1ac31ba827d02dc85dba1b9abe854c9fd2c32c2403f865bb7a87d9daN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
f0cf5b1794eca7cd73f9c020daab8ef2

SHA1
cd040b212f8cd90e629e7acefd14972b68e575ea

SHA256
2af00edce7ef3266897e52dc81e8de3b7a079028c0f1f96eaff9e38ad342f617

SHA512
55c9f22bc101c986b2e83f31e20415031fbf1fbfedd33907487de75069c43c5cfe3ba243025de6b66405925ba506f66d19d9da69af187f499143bc2da71341de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
732cfeb76b91c4d13978a00b8c666ed7

SHA1
0c57f76436701f4d51397d1d4e86337dd9ab1964

SHA256
9fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2

SHA512
2b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
78f697f7e3bea2ddbbcb269cd5c11154

SHA1
6b2e8123f62926b2f62667ff21ad9a0928e19420

SHA256
780b5a392c06442fb7c22d26a1238d5d12bb5b7ec62611cbb53660a598678cc4

SHA512
28cc1dc4d9fa53d679cb73c80978ad3ba61be30a9641da1a224209637e053208166c53ca5746bea4a99060e7ef15c000edb186b51477910752cd7e2fe76ebd9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b6fab9a508521bdd885193e7332c6b4

SHA1
d74314794380d0d11c60ed9e70df0434ab81376f

SHA256
fc8a9bbedf23f7cae16ce292dc506f6607d32399b3726b081944f8f5131ae2c4

SHA512
0bf3759d19f2de0c30d518be01412e09a57a82cc1fada2c56dfeef28390c1c1abf8e7de96a3bfd125e4867c15697b5137fdab285f06b95bee00f5a55612621be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d82be5cf3510a44c2ce90e59be1b26e1

SHA1
cbdad331f540c185888cbd51baa2ed366decd842

SHA256
0fad409f6849c9a7ad1569d26790122403a03f58e862ca72837be1ad8ad36ecb

SHA512
54e940d63ab97abf1a4df3f2df801ec64bb82034f0fd6f88ed2b574cb8e2ef8e76b416e567153ee90fc17028a7798ebfcf5b6d0ac9289ceaa4435fdd48d05992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aac1dfe67cd14a21fa4c1c39d6e1e120

SHA1
40e608e085aac4364ce7f8fe134bb814b24457e7

SHA256
673d51c8f5b1e66ea0e8b7e531145861e68803a7504bbecbbbba28e948153764

SHA512
c1d5f80115ee582c004d61a4125f7aaf5af710ba3d2ca834371be46b7f4f95769eb57cfe00a67e72da2fdeaf15ee167cc45a4512dc053eb0b46dab7a5f5b143f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
72c05504aa288a2e256c81997b1bb66d

SHA1
d1f408b6ad092a1b2b75071cbd48634fa4cb5011

SHA256
9d1e35247841e863e87f1bb5ee509f6617bfe751def3d3025ddfe940bfa5378a

SHA512
0f31d408fda54d3f3953ff0ab9c36baf0ced34120a8c671e81049094136e15f39482f9342430acd625aa47d598e25e14c72bf7254f341f25e29c66f78e099d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF440.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF443.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
118KB

MD5
e665aa27e273c6df01d58e703cf206cb

SHA1
97aa2cf5f7b7db52ff4ee9acd66a03d226b97bac

SHA256
81b8af772c26d5686653a1211a3fbe9825b3c71baa94782e02c63ee7d886e77b

SHA512
9741a04540c3e8f0f5a7513854ad8edd0cd74cb2d941f0a8800fc7eebea73bbd8222186155416c2b75574cdb4b530de8b8166f081083b00ae4ca18ae8370039f

Download Submit
memory/2328-179-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x0000000074F21000-0x0000000074F22000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-169-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-347-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-350-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-349-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads