njrat | 8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
Size

59KB
MD5

b605dd61f05028f5f48fbc2c8170273e
SHA1

9e452f6adfefc5e07d5f6800137fa3f2ae7156b5
SHA256

8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a
SHA512

c12da2b928dad93eb2d6d614f216f33f7baf0dcb83ec6ec13df1dc9db2466f98b1d14bce361941d9a179e9f4028171e660f6b8f4ba13358ba3b442aac5de79b4
SSDEEP

1536:t00NjIXChbP8Nm82Uuw5tnvvyTC7mVcl:60S2bPwmRw5ZOC78Y

Score

10^/10

njrat mohib evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

mohib

127.0.0.1:1978

Mutex

a0b72362103f09d1b009d939c194f0ce

Attributes

reg_key
a0b72362103f09d1b009d939c194f0ce
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2680	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	explorer.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
Token: SeDebugPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe
Token: 33	2796	explorer.exe
Token: SeIncBasePriorityPrivilege	2796	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2796	2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe	30
PID 2884 wrote to memory of 2796	2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe	30
PID 2884 wrote to memory of 2796	2884	8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe	30
PID 2796 wrote to memory of 2680	2796	explorer.exe	31
PID 2796 wrote to memory of 2680	2796	explorer.exe	31
PID 2796 wrote to memory of 2680	2796	explorer.exe	31

C:\Users\Admin\AppData\Local\Temp\8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe
"C:\Users\Admin\AppData\Local\Temp\8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Roaming\explorer.exe
  "C:\Users\Admin\AppData\Roaming\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
59KB

MD5
b605dd61f05028f5f48fbc2c8170273e

SHA1
9e452f6adfefc5e07d5f6800137fa3f2ae7156b5

SHA256
8760a9a669f5c298dbb04ff38fe8bfa72036fd093c8f5f2ee137ae02703c216a

SHA512
c12da2b928dad93eb2d6d614f216f33f7baf0dcb83ec6ec13df1dc9db2466f98b1d14bce361941d9a179e9f4028171e660f6b8f4ba13358ba3b442aac5de79b4

Download Submit
memory/2796-16-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-14-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-19-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-18-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-12-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-17-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-15-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-5-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2884-11-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-13-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-2-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-0-0x000007FEF613E000-0x000007FEF613F000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-4-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2884-3-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download