njrat | 10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112

Analysis

max time kernel
11s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
Size

8.7MB
MD5

aa47afcd87d5187c867fa721a6807edd
SHA1

f61dcf9213813a83bf036f9b43a5be7010f60b9a
SHA256

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112
SHA512

f1add09b9d3ee33fb009854bd70b24df5a77983adb4edb927c3fa529bdc695696ccbaefabd4d5cefc6c7709d011cdafa0c26896102e90d19c67604583b392d3c
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbx:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmV

Score

10^/10

njrat jjj defense_evasion discovery evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4400 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
4400	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe:Zone.Identifier:$DATA	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe:Zone.Identifier:$DATA	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
552	schtasks.exe
3864	schtasks.exe
812	schtasks.exe
2208	schtasks.exe
976	schtasks.exe
1776	schtasks.exe
4812	schtasks.exe
4628	schtasks.exe
3748	schtasks.exe
4536	schtasks.exe
1168	schtasks.exe
924	schtasks.exe
2892	schtasks.exe
1996	schtasks.exe
3628	schtasks.exe
2532	schtasks.exe
2744	schtasks.exe
1028	schtasks.exe
4864	schtasks.exe
1592	schtasks.exe
3164	schtasks.exe
2232	schtasks.exe
4924	schtasks.exe
392	schtasks.exe
3684	schtasks.exe
4132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

pid	process
1776	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
1776	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.execmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 3540	1776	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 1776 wrote to memory of 3540	1776	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 1776 wrote to memory of 3540	1776	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 3540 wrote to memory of 4944	3540	cmd.exe	NOTEPAD.EXE
PID 3540 wrote to memory of 4944	3540	cmd.exe	NOTEPAD.EXE
PID 3540 wrote to memory of 4944	3540	cmd.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
"C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\10740A~1.TXT
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe.txt
    3⤵
    PID:4944
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  PID:3328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4400
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4628
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1028
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3748
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:392
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3684
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4132
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:812
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2208
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:976
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4812
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3164
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:552
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1168
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:924
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3628
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4924
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3864

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
1⤵
PID:3084

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe.txt

Filesize
992B

MD5
c8cf7247d4cfc99a7582a42d13df4c08

SHA1
317f5588af0b3b6374c436fb00084c522fd78a83

SHA256
78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

SHA512
5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
2.4MB

MD5
19ff599ea2a1d7391785a25685c2558f

SHA1
784e4ae014034f26a0e426deeab917370bfabbdf

SHA256
958dd63116e10e8221301a419eab0bed0fe98c1e3483b9e91f669843cba45f4d

SHA512
8112a05201cc9cb03a512e19b00416d0988cb45dbd5c407415853c59792454537c0d75171520e952f043f05f9e0c5b137a20e95d5cc66a959d71221652736c99

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
923KB

MD5
148e2946fc135ab35e9f0e51c75b5fb0

SHA1
283f8329d07c197f6ae8e0bd55f7352d1d6cda62

SHA256
d36c58dc8ec50bdfffb8b10037b9bf68e561b6b2018ec76597cdc609a94dad95

SHA512
45624140ba29145da160643a25812881249ad935d0afdca27e8dcde53795cb6555a237d718c55cda19e1d5dd9967837b83e76f9929934ef79a4bfc7734592b71

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
411KB

MD5
5d2344ef4148dcc5a3366557a89636ab

SHA1
b654913c4737655b7cac1fcb8c7138d20fbca51b

SHA256
678c5396b817258311520ed3109fd94e3f4fd480d6785e6232208348297555b5

SHA512
a499a9e5bf03b51ba57fd3a8c5aaf2704d39e84ba806f454fe713103c0595cf917615d770eb4c63ef101aa02a4ba7aa97a5d03966c5f92cf85d6e5d89f73a83c

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
57KB

MD5
0fafbdebb576dbe5509f1019717a6e14

SHA1
c08f30244ed70d9f41d5894a279f41851852cadc

SHA256
4086e5cca1ea4946c1187fa905107f0fa849b195fa0e062ae6db8901c4415df2

SHA512
9c2f54fdb23ff8e9451c4ed2fcffb0c0ea48d4f5e986f28c5c46487a06769ad22b114e47a3020d05460450379b8f7df10cf9263f7fcf679767bf35546643f22f

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
2.8MB

MD5
48a1abf34bb4820fb0749e7f44dbadae

SHA1
4ac560c7b675662a7f0aade795b481f1c64eee86

SHA256
86626550af77ac9a364762296c2f4db26bbb2fe1ba187314c535a3b186b47174

SHA512
2dcefa862163c051c6e1802be87ff1c2e14d08ae689cb734f233295bb601d055195e2ddb86d546f5356cbf46da68a2420f7c7c1694c1028b835b65b6412349d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

Filesize
2.9MB

MD5
2c7364a2f78144b72b606894d6959be5

SHA1
4a6e01887b2a0e08604e34c804cf7ea9abec20ef

SHA256
33698aa69739d23e49273fac74ee3a449cbdc6a364b0feafd4231453df8cb966

SHA512
a91e4e790ad216d915e7f85341cc00a7b469abe5e8dc5bfb05b536ba1b27545ef17567b4d37a5f4ad9fe14b8c71d3f0b380bf53477d23fd8de5817c636bbe54e

Download Submit
memory/756-15-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download