njrat | 661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3b

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe
Size

119KB
MD5

3a4047aeee85f80d67182ead056273a0
SHA1

c95c5b85e9a940f46cfe30fde0c19d4d0e6783a2
SHA256

661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3b
SHA512

94913b8058afef9537905f1d147de8078b14ab48cb57dc6d0daf09b0c2d30f92ca1ce121628954d23f3de5a45e307f76cf64eaade34c73715c0f3cafe8b3fd15
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14X3Y:P5eznsjsguGDFqGZ2rDL14X3Y

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1308	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
1156	chargeable.exe
1212	chargeable.exe
1896	chargeable.exe
2344	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe
1960	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe"	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 1212	1156	chargeable.exe	33
PID 1156 set thread context of 1896	1156	chargeable.exe	32
PID 1156 set thread context of 2344	1156	chargeable.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	chargeable.exe
Token: 33	1212	chargeable.exe
Token: SeIncBasePriorityPrivilege	1212	chargeable.exe
Token: 33	1212	chargeable.exe
Token: SeIncBasePriorityPrivilege	1212	chargeable.exe
Token: 33	1212	chargeable.exe
Token: SeIncBasePriorityPrivilege	1212	chargeable.exe
Token: 33	1212	chargeable.exe
Token: SeIncBasePriorityPrivilege	1212	chargeable.exe
Token: 33	1212	chargeable.exe
Token: SeIncBasePriorityPrivilege	1212	chargeable.exe
Token: 33	1212	chargeable.exe
Token: SeIncBasePriorityPrivilege	1212	chargeable.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1156	1960	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe	30
PID 1960 wrote to memory of 1156	1960	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe	30
PID 1960 wrote to memory of 1156	1960	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe	30
PID 1960 wrote to memory of 1156	1960	661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe	30
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1212	1156	chargeable.exe	33
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 1896	1156	chargeable.exe	32
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1156 wrote to memory of 2344	1156	chargeable.exe	31
PID 1212 wrote to memory of 1308	1212	chargeable.exe	34
PID 1212 wrote to memory of 1308	1212	chargeable.exe	34
PID 1212 wrote to memory of 1308	1212	chargeable.exe	34
PID 1212 wrote to memory of 1308	1212	chargeable.exe	34

C:\Users\Admin\AppData\Local\Temp\661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe
"C:\Users\Admin\AppData\Local\Temp\661ffa3a94091e6145e20ab9c8c172ef532b981b93c7deef9f0508250bab3a3bN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:1896
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
f0cf5b1794eca7cd73f9c020daab8ef2

SHA1
cd040b212f8cd90e629e7acefd14972b68e575ea

SHA256
2af00edce7ef3266897e52dc81e8de3b7a079028c0f1f96eaff9e38ad342f617

SHA512
55c9f22bc101c986b2e83f31e20415031fbf1fbfedd33907487de75069c43c5cfe3ba243025de6b66405925ba506f66d19d9da69af187f499143bc2da71341de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
732cfeb76b91c4d13978a00b8c666ed7

SHA1
0c57f76436701f4d51397d1d4e86337dd9ab1964

SHA256
9fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2

SHA512
2b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
58226af2fddeedc17d05eb863f971411

SHA1
8f87dc2b73dcbe2ac69bb6b3e6c693e9b46255a4

SHA256
949a526e69e4061caa6371a84096db36361f152b214d5ae78f0aafd1b5588a64

SHA512
a224aebcadad6e08f9af6c084f423b39f05145ed4b40ec37fee1559e1eea9c0bacc837dc7086f43590b96edcc0f70ae09e4d036ce076d66c543b396ecc90344f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9e93a466f9d1244fa37bfd77b8276e8

SHA1
ae9c54ea2c9651fd1e949b58b0591d0126ad14ce

SHA256
7fcc32d5b2586c3272cad3024ccb7e49efce5c119a2b9cd4ab3061aefc08af48

SHA512
23d220e50dc8c2b1fc12e4f2751156db1d06e4fd138e1cf4cbfe346bbfbe24a808d7fc4aa25862a43171707d5fdda228e3a9f6db7918f376b72dcbde9c702bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98be3f5a48dfd58ea95bcfb4da64371b

SHA1
1c3673c59b2daae11bd2ee1e616d19db1c8efdd2

SHA256
91bd63baf6a3d92ffa9708e2561e013258c4e2a3a635d454638a038bf71f5d53

SHA512
6279c6660c4c0492e49d935e458c1311b2593f536d9243f44013003cda6b8be9fbb6d5fb520dc0ac2ebb5ea009546bbd8c39c8964bc1d5b0eed7fcc43139255d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed3cc58fe5bd7e3d558b6e51bdfd02cd

SHA1
1134a6cb2adcfb51405be441976a3d6ad4b38d69

SHA256
e5336edfc3c43f8d692d88577a05a276061c52b1a2111faa0244531701a56f7b

SHA512
2095973958670d1c4b7888762eec85094af1a7d1914d84afb0bd462c640f0cf8b0b3a3392201bf66b2879de34bf94bd10755335ad91a2f161141b1c30e21214d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
b3f442be4c92d03d2ce927676dd1c995

SHA1
7e50b06c1d3846168ec797d678b1d915e4c5a4cf

SHA256
c6c3eece3fab358bbe1670c3de6c6f2ae17420fb846c0c76e81e680d69424f69

SHA512
7a1cebb96c91bc341aaebe254830b422005b094a01ba7c1794c84e57f80912df9cd88abfe81fdbab6081d2d9d071e7dd601d122c528bb9471add136273455e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2a3b1b7ef8aa1a39e46c90e0831d2f8e

SHA1
b0f4e600b5fb8ab77fdad798dcca3c1bedd3dc1d

SHA256
b8bf25cba1275689c7ec3e9e795281a529e1e663b8e7c041061da3f6200ca800

SHA512
c35ce9397f231f899b77c2d4f0d574af09898cd391441d7bbb111f031ad8466c74ecbfbcabc1028a2342155df3612de8a341f5c871b2ce42971237d9df2b9e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5A04.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A17.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
119KB

MD5
df0eefed2adb65243252d9a9e2a638d3

SHA1
bfc106331154592323e1f014af55f4422efe633c

SHA256
4125af71f1b20623159c18210905b32cc56fdaba77dacfbde2cb63bb07d14ead

SHA512
ddae4f562f7e9c8fb52af03d36fcd9578d94ad0a1c9ca5baafc46381b4d6b2fe4820b70c5d800593d41251a3e920da93de60c16f25bf0b747fa18ca2e085a9f5

Download Submit
memory/1212-340-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1212-347-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1212-346-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1960-183-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x0000000074891000-0x0000000074892000-memory.dmp

Filesize
4KB

Download
memory/1960-2-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-1-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads