Analysis
-
max time kernel
70s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 13:46
Behavioral task
behavioral1
Sample
NjRat Lime Edition 0.8.0.exe
Resource
win10v2004-20241007-en
General
-
Target
NjRat Lime Edition 0.8.0.exe
-
Size
165KB
-
MD5
3fffdf6d0b0d6305060008ff4b67ab3c
-
SHA1
48f1b88a58f69689fa0f155d21d1629cd689a7e2
-
SHA256
71b021e97308b5db38564b6794e30c44886aa10aa2e6c91f61f3a647076146a7
-
SHA512
c1c1267074596d51ae076d9667513f0dbf424c327fd1558d4e2d1dbcea18fdbae8a72fe7fc98215d3e021f0c624ce496b6bb958979396ad049a777d91a4d8458
-
SSDEEP
3072:CRd8w/fFvqnA1Q/p3fOKNIjrNxztk8wEEgIl6562ubkXmLrN+:CRdrQRvp+Nxztk8DEZl5bjrN+
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini NjRat Lime Edition 0.8.0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NjRat Lime Edition 0.8.0.exe NjRat Lime Edition 0.8.0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NjRat Lime Edition 0.8.0.exe NjRat Lime Edition 0.8.0.exe -
Executes dropped EXE 1 IoCs
pid Process 4904 NjRat Lime Edition 0.8.0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NjRat Lime Edition 0.8.0.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NjRat Lime Edition 0.8.0.exe\" .." NjRat Lime Edition 0.8.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NjRat Lime Edition 0.8.0.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NjRat Lime Edition 0.8.0.exe\" .." NjRat Lime Edition 0.8.0.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat Lime Edition 0.8.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat Lime Edition 0.8.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Kills process with taskkill 4 IoCs
pid Process 3568 TASKKILL.exe 2404 TASKKILL.exe 2592 TASKKILL.exe 4420 TASKKILL.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2456 schtasks.exe 5008 schtasks.exe 3644 schtasks.exe 1376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe 4428 NjRat Lime Edition 0.8.0.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 4428 NjRat Lime Edition 0.8.0.exe Token: SeDebugPrivilege 3568 TASKKILL.exe Token: SeDebugPrivilege 2404 TASKKILL.exe Token: 33 4428 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4428 NjRat Lime Edition 0.8.0.exe Token: SeDebugPrivilege 2592 TASKKILL.exe Token: SeDebugPrivilege 4420 TASKKILL.exe Token: SeDebugPrivilege 4904 NjRat Lime Edition 0.8.0.exe Token: 33 4428 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4428 NjRat Lime Edition 0.8.0.exe Token: 33 4428 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4428 NjRat Lime Edition 0.8.0.exe Token: 33 4428 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4428 NjRat Lime Edition 0.8.0.exe Token: 33 4428 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4428 NjRat Lime Edition 0.8.0.exe Token: 33 4428 NjRat Lime Edition 0.8.0.exe Token: SeIncBasePriorityPrivilege 4428 NjRat Lime Edition 0.8.0.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4428 wrote to memory of 4940 4428 NjRat Lime Edition 0.8.0.exe 86 PID 4428 wrote to memory of 4940 4428 NjRat Lime Edition 0.8.0.exe 86 PID 4428 wrote to memory of 4940 4428 NjRat Lime Edition 0.8.0.exe 86 PID 4428 wrote to memory of 2456 4428 NjRat Lime Edition 0.8.0.exe 89 PID 4428 wrote to memory of 2456 4428 NjRat Lime Edition 0.8.0.exe 89 PID 4428 wrote to memory of 2456 4428 NjRat Lime Edition 0.8.0.exe 89 PID 4428 wrote to memory of 3568 4428 NjRat Lime Edition 0.8.0.exe 91 PID 4428 wrote to memory of 3568 4428 NjRat Lime Edition 0.8.0.exe 91 PID 4428 wrote to memory of 3568 4428 NjRat Lime Edition 0.8.0.exe 91 PID 4428 wrote to memory of 2404 4428 NjRat Lime Edition 0.8.0.exe 92 PID 4428 wrote to memory of 2404 4428 NjRat Lime Edition 0.8.0.exe 92 PID 4428 wrote to memory of 2404 4428 NjRat Lime Edition 0.8.0.exe 92 PID 4428 wrote to memory of 2224 4428 NjRat Lime Edition 0.8.0.exe 96 PID 4428 wrote to memory of 2224 4428 NjRat Lime Edition 0.8.0.exe 96 PID 4428 wrote to memory of 2224 4428 NjRat Lime Edition 0.8.0.exe 96 PID 4428 wrote to memory of 5008 4428 NjRat Lime Edition 0.8.0.exe 98 PID 4428 wrote to memory of 5008 4428 NjRat Lime Edition 0.8.0.exe 98 PID 4428 wrote to memory of 5008 4428 NjRat Lime Edition 0.8.0.exe 98 PID 4904 wrote to memory of 4920 4904 NjRat Lime Edition 0.8.0.exe 102 PID 4904 wrote to memory of 4920 4904 NjRat Lime Edition 0.8.0.exe 102 PID 4904 wrote to memory of 4920 4904 NjRat Lime Edition 0.8.0.exe 102 PID 4904 wrote to memory of 3644 4904 NjRat Lime Edition 0.8.0.exe 104 PID 4904 wrote to memory of 3644 4904 NjRat Lime Edition 0.8.0.exe 104 PID 4904 wrote to memory of 3644 4904 NjRat Lime Edition 0.8.0.exe 104 PID 4904 wrote to memory of 2592 4904 NjRat Lime Edition 0.8.0.exe 105 PID 4904 wrote to memory of 2592 4904 NjRat Lime Edition 0.8.0.exe 105 PID 4904 wrote to memory of 2592 4904 NjRat Lime Edition 0.8.0.exe 105 PID 4904 wrote to memory of 4420 4904 NjRat Lime Edition 0.8.0.exe 108 PID 4904 wrote to memory of 4420 4904 NjRat Lime Edition 0.8.0.exe 108 PID 4904 wrote to memory of 4420 4904 NjRat Lime Edition 0.8.0.exe 108 PID 4904 wrote to memory of 4864 4904 NjRat Lime Edition 0.8.0.exe 111 PID 4904 wrote to memory of 4864 4904 NjRat Lime Edition 0.8.0.exe 111 PID 4904 wrote to memory of 4864 4904 NjRat Lime Edition 0.8.0.exe 111 PID 4904 wrote to memory of 1376 4904 NjRat Lime Edition 0.8.0.exe 113 PID 4904 wrote to memory of 1376 4904 NjRat Lime Edition 0.8.0.exe 113 PID 4904 wrote to memory of 1376 4904 NjRat Lime Edition 0.8.0.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
- System Location Discovery: System Language Discovery
PID:4940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 52⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
- System Location Discovery: System Language Discovery
PID:4920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 52⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3644
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" /sc minute /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1376
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD53fffdf6d0b0d6305060008ff4b67ab3c
SHA148f1b88a58f69689fa0f155d21d1629cd689a7e2
SHA25671b021e97308b5db38564b6794e30c44886aa10aa2e6c91f61f3a647076146a7
SHA512c1c1267074596d51ae076d9667513f0dbf424c327fd1558d4e2d1dbcea18fdbae8a72fe7fc98215d3e021f0c624ce496b6bb958979396ad049a777d91a4d8458