Analysis
-
max time kernel
111s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 14:54
Behavioral task
behavioral1
Sample
NjRat Lime Edition 0.8.0.exe
Resource
win10v2004-20241007-en
General
-
Target
NjRat Lime Edition 0.8.0.exe
-
Size
165KB
-
MD5
3fffdf6d0b0d6305060008ff4b67ab3c
-
SHA1
48f1b88a58f69689fa0f155d21d1629cd689a7e2
-
SHA256
71b021e97308b5db38564b6794e30c44886aa10aa2e6c91f61f3a647076146a7
-
SHA512
c1c1267074596d51ae076d9667513f0dbf424c327fd1558d4e2d1dbcea18fdbae8a72fe7fc98215d3e021f0c624ce496b6bb958979396ad049a777d91a4d8458
-
SSDEEP
3072:CRd8w/fFvqnA1Q/p3fOKNIjrNxztk8wEEgIl6562ubkXmLrN+:CRdrQRvp+Nxztk8DEZl5bjrN+
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini NjRat Lime Edition 0.8.0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NjRat Lime Edition 0.8.0.exe NjRat Lime Edition 0.8.0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NjRat Lime Edition 0.8.0.exe NjRat Lime Edition 0.8.0.exe -
Executes dropped EXE 2 IoCs
pid Process 4052 NjRat Lime Edition 0.8.0.exe 932 NjRat Lime Edition 0.8.0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NjRat Lime Edition 0.8.0.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NjRat Lime Edition 0.8.0.exe\" .." NjRat Lime Edition 0.8.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NjRat Lime Edition 0.8.0.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NjRat Lime Edition 0.8.0.exe\" .." NjRat Lime Edition 0.8.0.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat Lime Edition 0.8.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat Lime Edition 0.8.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat Lime Edition 0.8.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Kills process with taskkill 6 IoCs
pid Process 1680 TASKKILL.exe 3028 TASKKILL.exe 2768 TASKKILL.exe 3932 TASKKILL.exe 3148 TASKKILL.exe 2176 TASKKILL.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5076 schtasks.exe 5020 schtasks.exe 3680 schtasks.exe 5016 schtasks.exe 2392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe 4288 NjRat Lime Edition 0.8.0.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: SeDebugPrivilege 2768 TASKKILL.exe Token: SeDebugPrivilege 3932 TASKKILL.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: SeDebugPrivilege 3148 TASKKILL.exe Token: SeDebugPrivilege 2176 TASKKILL.exe Token: SeDebugPrivilege 4052 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: 33 4288 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4288 NjRat Lime Edition 0.8.0.exe Token: SeDebugPrivilege 1680 TASKKILL.exe Token: SeDebugPrivilege 3028 TASKKILL.exe Token: SeDebugPrivilege 932 NjRat Lime Edition 0.8.0.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4288 wrote to memory of 940 4288 NjRat Lime Edition 0.8.0.exe 87 PID 4288 wrote to memory of 940 4288 NjRat Lime Edition 0.8.0.exe 87 PID 4288 wrote to memory of 940 4288 NjRat Lime Edition 0.8.0.exe 87 PID 4288 wrote to memory of 5076 4288 NjRat Lime Edition 0.8.0.exe 89 PID 4288 wrote to memory of 5076 4288 NjRat Lime Edition 0.8.0.exe 89 PID 4288 wrote to memory of 5076 4288 NjRat Lime Edition 0.8.0.exe 89 PID 4288 wrote to memory of 2768 4288 NjRat Lime Edition 0.8.0.exe 91 PID 4288 wrote to memory of 2768 4288 NjRat Lime Edition 0.8.0.exe 91 PID 4288 wrote to memory of 2768 4288 NjRat Lime Edition 0.8.0.exe 91 PID 4288 wrote to memory of 3932 4288 NjRat Lime Edition 0.8.0.exe 92 PID 4288 wrote to memory of 3932 4288 NjRat Lime Edition 0.8.0.exe 92 PID 4288 wrote to memory of 3932 4288 NjRat Lime Edition 0.8.0.exe 92 PID 4288 wrote to memory of 1320 4288 NjRat Lime Edition 0.8.0.exe 96 PID 4288 wrote to memory of 1320 4288 NjRat Lime Edition 0.8.0.exe 96 PID 4288 wrote to memory of 1320 4288 NjRat Lime Edition 0.8.0.exe 96 PID 4288 wrote to memory of 5020 4288 NjRat Lime Edition 0.8.0.exe 98 PID 4288 wrote to memory of 5020 4288 NjRat Lime Edition 0.8.0.exe 98 PID 4288 wrote to memory of 5020 4288 NjRat Lime Edition 0.8.0.exe 98 PID 4052 wrote to memory of 464 4052 NjRat Lime Edition 0.8.0.exe 104 PID 4052 wrote to memory of 464 4052 NjRat Lime Edition 0.8.0.exe 104 PID 4052 wrote to memory of 464 4052 NjRat Lime Edition 0.8.0.exe 104 PID 4052 wrote to memory of 3680 4052 NjRat Lime Edition 0.8.0.exe 106 PID 4052 wrote to memory of 3680 4052 NjRat Lime Edition 0.8.0.exe 106 PID 4052 wrote to memory of 3680 4052 NjRat Lime Edition 0.8.0.exe 106 PID 4052 wrote to memory of 3148 4052 NjRat Lime Edition 0.8.0.exe 108 PID 4052 wrote to memory of 3148 4052 NjRat Lime Edition 0.8.0.exe 108 PID 4052 wrote to memory of 3148 4052 NjRat Lime Edition 0.8.0.exe 108 PID 4052 wrote to memory of 2176 4052 NjRat Lime Edition 0.8.0.exe 110 PID 4052 wrote to memory of 2176 4052 NjRat Lime Edition 0.8.0.exe 110 PID 4052 wrote to memory of 2176 4052 NjRat Lime Edition 0.8.0.exe 110 PID 4052 wrote to memory of 5104 4052 NjRat Lime Edition 0.8.0.exe 112 PID 4052 wrote to memory of 5104 4052 NjRat Lime Edition 0.8.0.exe 112 PID 4052 wrote to memory of 5104 4052 NjRat Lime Edition 0.8.0.exe 112 PID 4052 wrote to memory of 5016 4052 NjRat Lime Edition 0.8.0.exe 114 PID 4052 wrote to memory of 5016 4052 NjRat Lime Edition 0.8.0.exe 114 PID 4052 wrote to memory of 5016 4052 NjRat Lime Edition 0.8.0.exe 114 PID 932 wrote to memory of 3556 932 NjRat Lime Edition 0.8.0.exe 117 PID 932 wrote to memory of 3556 932 NjRat Lime Edition 0.8.0.exe 117 PID 932 wrote to memory of 3556 932 NjRat Lime Edition 0.8.0.exe 117 PID 932 wrote to memory of 2392 932 NjRat Lime Edition 0.8.0.exe 119 PID 932 wrote to memory of 2392 932 NjRat Lime Edition 0.8.0.exe 119 PID 932 wrote to memory of 2392 932 NjRat Lime Edition 0.8.0.exe 119 PID 932 wrote to memory of 1680 932 NjRat Lime Edition 0.8.0.exe 120 PID 932 wrote to memory of 1680 932 NjRat Lime Edition 0.8.0.exe 120 PID 932 wrote to memory of 1680 932 NjRat Lime Edition 0.8.0.exe 120 PID 932 wrote to memory of 3028 932 NjRat Lime Edition 0.8.0.exe 123 PID 932 wrote to memory of 3028 932 NjRat Lime Edition 0.8.0.exe 123 PID 932 wrote to memory of 3028 932 NjRat Lime Edition 0.8.0.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 52⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5076
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
- System Location Discovery: System Language Discovery
PID:464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 52⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3680
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:5104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 52⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2392
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588B
MD5e293216bc892a819986fbe64a0f8d0b4
SHA15152f6fec6914c0b0561d444837f79b8436f403c
SHA2565185c5bb61a3163e462585f5016cafb6b957948cf1fdd72e700a8d437e84b787
SHA512f78cb3635a06c7f94f11c60fac8b962df34784f166529db81022dc18b5e233449ae04e62ae0e9298d87646eedcb4e52c09d3ac2754ffaf98a277ce8916a953be
-
Filesize
165KB
MD53fffdf6d0b0d6305060008ff4b67ab3c
SHA148f1b88a58f69689fa0f155d21d1629cd689a7e2
SHA25671b021e97308b5db38564b6794e30c44886aa10aa2e6c91f61f3a647076146a7
SHA512c1c1267074596d51ae076d9667513f0dbf424c327fd1558d4e2d1dbcea18fdbae8a72fe7fc98215d3e021f0c624ce496b6bb958979396ad049a777d91a4d8458