Overview

overview

10

Static

static

10

db7eaa14e2...3N.exe

windows7-x64

10

db7eaa14e2...3N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db7eaa14e273a45a95c0c5e3404ee9ef2b8488d35e0cefd3440f94c441ed4e03N.exe

  • Size

    93KB

  • MD5

    d61320e11b78f4c54887b55d238ad600

  • SHA1

    c11c3eb0b94909897081e0d5bb8bc1656376afd1

  • SHA256

    db7eaa14e273a45a95c0c5e3404ee9ef2b8488d35e0cefd3440f94c441ed4e03

  • SHA512

    a1b20825856517613ebc99b4b1d80b34c05e26c8cba8db6a0707cc08329e05af6243e1b4ec1511e46c1fae8b595d78d2c7ed698fb5ec6ec303b54e35a24badf4

  • SSDEEP

    1536:s4UpR8lZc+/2HK1j+fTd5jEwzGi1dDWD5gS:s4UpKc+/2HK1oTdWi1dQ2

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

78.156.229.8:7777
Mutex

31a76954e6446acb903929bf0d0d71d9

Attributes
  • reg_key

    31a76954e6446acb903929bf0d0d71d9

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 25 IoCs
    evasion
  • Drops startup file 20 IoCs
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 34 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db7eaa14e273a45a95c0c5e3404ee9ef2b8488d35e0cefd3440f94c441ed4e03N.exe
    "C:\Users\Admin\AppData\Local\Temp\db7eaa14e273a45a95c0c5e3404ee9ef2b8488d35e0cefd3440f94c441ed4e03N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3064
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2508
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:644
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Roaming\server.exe
          "C:\Users\Admin\AppData\Roaming\server.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2024
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2504
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2392
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2440
            • C:\Users\Admin\AppData\Roaming\server.exe
              "C:\Users\Admin\AppData\Roaming\server.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2572
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:2484
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:2008
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:524
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2556
                • C:\Users\Admin\AppData\Roaming\server.exe
                  "C:\Users\Admin\AppData\Roaming\server.exe"
                  8⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:804
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3028
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2268
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2352
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2224
                    • C:\Users\Admin\AppData\Roaming\server.exe
                      "C:\Users\Admin\AppData\Roaming\server.exe"
                      10⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1956
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2272
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2312
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2256
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:980
                        • C:\Users\Admin\AppData\Roaming\server.exe
                          "C:\Users\Admin\AppData\Roaming\server.exe"
                          12⤵
                          • Drops startup file
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2128
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:892
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1172
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1436
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:2716
                            • C:\Users\Admin\AppData\Roaming\server.exe
                              "C:\Users\Admin\AppData\Roaming\server.exe"
                              14⤵
                              • Drops startup file
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2572
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:1960
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:2808
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:2792
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:2884
                                • C:\Users\Admin\AppData\Roaming\server.exe
                                  "C:\Users\Admin\AppData\Roaming\server.exe"
                                  16⤵
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:832
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:320
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2948
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:1276
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2080
                                    • C:\Users\Admin\AppData\Roaming\server.exe
                                      "C:\Users\Admin\AppData\Roaming\server.exe"
                                      18⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      PID:2024
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\melt.txt
    Filesize

    41B

    MD5

    964ddaa3491c746b5ef7e7fb6b653384

    SHA1

    1bb95b5f8f514d2840cf399812631f2838979452

    SHA256

    157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

    SHA512

    a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    d43c5b07c128b116b7bc8faf7b8efa9d

    SHA1

    dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

    SHA256

    80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

    SHA512

    618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

    Download Submit

  • \Users\Admin\AppData\Roaming\server.exe
    Filesize

    93KB

    MD5

    d61320e11b78f4c54887b55d238ad600

    SHA1

    c11c3eb0b94909897081e0d5bb8bc1656376afd1

    SHA256

    db7eaa14e273a45a95c0c5e3404ee9ef2b8488d35e0cefd3440f94c441ed4e03

    SHA512

    a1b20825856517613ebc99b4b1d80b34c05e26c8cba8db6a0707cc08329e05af6243e1b4ec1511e46c1fae8b595d78d2c7ed698fb5ec6ec303b54e35a24badf4

    Download Submit

  • memory/2496-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2496-1-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2496-2-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2496-14-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2900-15-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2900-16-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2900-17-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2900-31-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2900-52-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download