njrat | 2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1

Analysis

max time kernel
112s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 17:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
Size

531KB
MD5

5672033192553965f397e00cc5ed2b90
SHA1

4238c1c5240ad9332e58c4bca9305cb3ae57c9eb
SHA256

2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1
SHA512

ef743cbf8060a11748a430b618165ab7885b4d3ff6aca51b50d59ac3ab3a2ec2cc9ad11befd217c76c3124e1d89320e215acc1a42fbc0b838840638b982a284e
SSDEEP

12288:quhrOarWLTR2viEmOG6LZgE5T/j85ZGyOcqz5:qx2HzG6lTb8WyOck5

Score

10^/10

njrat beka discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BEKA

ronymahmoud.casacam.net:1177

Mutex

32bad0fc686dd5769ff8860131056010

Attributes

reg_key
32bad0fc686dd5769ff8860131056010
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe
2504	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1076	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2712	powershell.exe
2504	powershell.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2516	RegSvcs.exe
Token: 33	2516	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2516	RegSvcs.exe
Token: 33	2516	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2516	RegSvcs.exe
Token: 33	2516	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2516	RegSvcs.exe
Token: 33	2516	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2516	RegSvcs.exe
Token: 33	2516	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2516	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2712	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	30
PID 2468 wrote to memory of 2712	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	30
PID 2468 wrote to memory of 2712	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	30
PID 2468 wrote to memory of 2712	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	30
PID 2468 wrote to memory of 2504	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	32
PID 2468 wrote to memory of 2504	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	32
PID 2468 wrote to memory of 2504	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	32
PID 2468 wrote to memory of 2504	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	32
PID 2468 wrote to memory of 2104	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	34
PID 2468 wrote to memory of 2104	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	34
PID 2468 wrote to memory of 2104	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	34
PID 2468 wrote to memory of 2104	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	34
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2508	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	36
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2468 wrote to memory of 2516	2468	2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe	37
PID 2516 wrote to memory of 1076	2516	RegSvcs.exe	38
PID 2516 wrote to memory of 1076	2516	RegSvcs.exe	38
PID 2516 wrote to memory of 1076	2516	RegSvcs.exe	38
PID 2516 wrote to memory of 1076	2516	RegSvcs.exe	38

C:\Users\Admin\AppData\Local\Temp\2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe
"C:\Users\Admin\AppData\Local\Temp\2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zavsSrNScEv.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zavsSrNScEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAEF.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAAEF.tmp

Filesize
1KB

MD5
188c0ef4113739df05a09e498f0f32aa

SHA1
cb91cc6efe87a27009cdc1ea71aa3bfd6ae2b4e4

SHA256
81df88bed9c1b34ace223b20f5d0ad32c809760dea4b41d304109d93a0862307

SHA512
553931c824f4cd557442eb90781f577830a7880c4c5dd9ae94ac61d08f7e736ad9b8eb6038aab680d640deee52b4c21c9ed136ed919b3eef7280040499b4280f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1ce8d0e79b410fe0c8372f327675dd2e

SHA1
fc3841fe4ce22e7fb62cd793b4ac96abc98f9ff3

SHA256
30142ad12654adcd0682278f86d012c8499b0483efd01bec8c7fc876e4304b74

SHA512
444707b6475977c0b8ec09fb535765a6761f6bf4a11f7a0a1fd5ee64dfca8efc8f1be6ed5a046bb29a07d249f4ba83b6b3dfdb20fdfaf95753c8cc630e58e87b

Download Submit
memory/2468-4-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2468-31-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2468-5-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-6-0x00000000043B0000-0x00000000043FE000-memory.dmp

Filesize
312KB

Download
memory/2468-2-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-1-0x0000000000160000-0x00000000001EA000-memory.dmp

Filesize
552KB

Download
memory/2468-3-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2516-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download