Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NjRat Loader.exe

windows7-x64

10

NjRat Loader.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 08:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NjRat Loader.exe

  • Size

    2.3MB

  • MD5

    e4631d6e2fee44de27d84aff1ce7c7a5

  • SHA1

    d16bc9a9e7249e8f5b519cabbaafa0f1462bccdd

  • SHA256

    008478ff6c70392e5ecf933881df2c44f31fdf76ad88c407191233cb39de6528

  • SHA512

    fdba6e4c6ce13996f05bfa0680383c809b177aedbd300ce42e7f378fd8ad1a1b2cfbc6342b5f0f64d03142bc25f3cf538829cbd01c539ec4c1477121b8f6e8be

  • SSDEEP

    49152:x842+3u+OurHvP4yU222Yd/2bIKxwc6XfnVmAfIg39EJ:x8gTdrHvPfRn8ulx36PrNQ

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NjRat Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NjRat Loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Users\Admin\AppData\Local\Temp\NjRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\NjRAT.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1152
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM ProcessHacker.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4744
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4360

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.tcp.eu.ngrok.io
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      2.tcp.eu.ngrok.io
      IN A
      Response
      2.tcp.eu.ngrok.io
      IN A
      18.197.239.5
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      5.239.197.18.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      5.239.197.18.in-addr.arpa
      IN PTR
      Response
      5.239.197.18.in-addr.arpa
      IN PTR
      ec2-18-197-239-5 eu-central-1compute amazonawscom
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.tcp.eu.ngrok.io
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      2.tcp.eu.ngrok.io
      IN A
      Response
      2.tcp.eu.ngrok.io
      IN A
      3.126.37.18
    • flag-us
      DNS
      18.37.126.3.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.37.126.3.in-addr.arpa
      IN PTR
      Response
      18.37.126.3.in-addr.arpa
      IN PTR
      ec2-3-126-37-18 eu-central-1compute amazonawscom
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.tcp.eu.ngrok.io
      svchost.exe
      Remote address:
      8.8.8.8:53
      Request
      2.tcp.eu.ngrok.io
      IN A
      Response
      2.tcp.eu.ngrok.io
      IN A
      18.197.239.5
    • flag-us
      DNS
      84.65.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      84.65.42.20.in-addr.arpa
      IN PTR
      Response
    • 18.197.239.5:16299
      2.tcp.eu.ngrok.io
      svchost.exe
      803 B
       372 B
       10
      9
    • 3.126.37.18:16299
      2.tcp.eu.ngrok.io
      svchost.exe
      716 B
       332 B
       9
      8
    • 18.197.239.5:16299
      2.tcp.eu.ngrok.io
      svchost.exe
      573 B
       172 B
       5
      4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      22.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      22.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      2.tcp.eu.ngrok.io
      dns
      svchost.exe
      63 B
       79 B
       1
      1

      DNS Request

      2.tcp.eu.ngrok.io

      DNS Response

      18.197.239.5

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      5.239.197.18.in-addr.arpa
      dns
      71 B
       136 B
       1
      1

      DNS Request

      5.239.197.18.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      2.tcp.eu.ngrok.io
      dns
      svchost.exe
      63 B
       79 B
       1
      1

      DNS Request

      2.tcp.eu.ngrok.io

      DNS Response

      3.126.37.18

    • 8.8.8.8:53
      18.37.126.3.in-addr.arpa
      dns
      70 B
       134 B
       1
      1

      DNS Request

      18.37.126.3.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      2.tcp.eu.ngrok.io
      dns
      svchost.exe
      63 B
       79 B
       1
      1

      DNS Request

      2.tcp.eu.ngrok.io

      DNS Response

      18.197.239.5

    • 8.8.8.8:53
      84.65.42.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      84.65.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\NjRAT.exe
      Filesize

      37KB

      MD5

      5c02e4b0ad99d924aa9eed7d706bfe12

      SHA1

      e1ca2e74e7f873584e6b6d1d0f3d1d2dabc5713a

      SHA256

      0c41f773d5abffd1c52f008c3f144155cb7e331816a5c3af1fc42683eab51263

      SHA512

      ab2fd5cc9da5f8fb2c8836a9063d8c15db64847a6028f7ac0b330305d24905f8025bbe5cb02c7de5bd0ee63b0173203d496292887ab90926ba4082ac066f5508

      Download Submit

    • memory/4824-33-0x0000000072AA2000-0x0000000072AA3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4824-34-0x0000000072AA0000-0x0000000073051000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4824-35-0x0000000072AA0000-0x0000000073051000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4824-45-0x0000000072AA0000-0x0000000073051000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.