njrat | ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Size

65KB
MD5

7b6de1f4e80f5f0e56db56f2095ae7a0
SHA1

13ada473813ec380ba5ea8cfac2457a753d88b82
SHA256

ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027
SHA512

7259a557ee2f186887ec0e40c08fa7bf6fe51d7fb6b9a930c5a876afb5c1534efc3bd0b59d454ce2b6b54e914ced687b298c016c2e467dee090cf1c6365085ae
SSDEEP

1536:nIi1xBBZ3ad5Wj9thVmZAl8FL0gam8qUN/ffRaOug:Ii1xBxjanF7aTqUuO9

Score

10^/10

njrat 150430 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

150430

crizzybee.ddns.net:777

Mutex

718ee003d92d9b4d5e6b70f7fca7f400

Attributes

reg_key
718ee003d92d9b4d5e6b70f7fca7f400
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2092	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\718ee003d92d9b4d5e6b70f7fca7f400.exe	Update window.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\718ee003d92d9b4d5e6b70f7fca7f400.exe	Update window.exe

Executes dropped EXE 2 IoCs

pid	Process
2008	Update window.exe
3992	Update window.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\718ee003d92d9b4d5e6b70f7fca7f400 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update window.exe\" .."	Update window.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\718ee003d92d9b4d5e6b70f7fca7f400 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update window.exe\" .."	Update window.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 4876	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	83
PID 2008 set thread context of 3992	2008	Update window.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update window.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update window.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: 33	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: SeIncBasePriorityPrivilege	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: 33	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: SeIncBasePriorityPrivilege	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: 33	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: SeIncBasePriorityPrivilege	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Token: SeDebugPrivilege	2008	Update window.exe
Token: 33	2008	Update window.exe
Token: SeIncBasePriorityPrivilege	2008	Update window.exe
Token: 33	2008	Update window.exe
Token: SeIncBasePriorityPrivilege	2008	Update window.exe
Token: 33	2008	Update window.exe
Token: SeIncBasePriorityPrivilege	2008	Update window.exe
Token: SeDebugPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe
Token: 33	3992	Update window.exe
Token: SeIncBasePriorityPrivilege	3992	Update window.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4876	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	83
PID 1224 wrote to memory of 4876	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	83
PID 1224 wrote to memory of 4876	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	83
PID 1224 wrote to memory of 4876	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	83
PID 1224 wrote to memory of 4876	1224	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	83
PID 4876 wrote to memory of 2008	4876	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	85
PID 4876 wrote to memory of 2008	4876	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	85
PID 4876 wrote to memory of 2008	4876	ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe	85
PID 2008 wrote to memory of 3992	2008	Update window.exe	86
PID 2008 wrote to memory of 3992	2008	Update window.exe	86
PID 2008 wrote to memory of 3992	2008	Update window.exe	86
PID 2008 wrote to memory of 3992	2008	Update window.exe	86
PID 2008 wrote to memory of 3992	2008	Update window.exe	86
PID 3992 wrote to memory of 2092	3992	Update window.exe	95
PID 3992 wrote to memory of 2092	3992	Update window.exe	95
PID 3992 wrote to memory of 2092	3992	Update window.exe	95

C:\Users\Admin\AppData\Local\Temp\ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
"C:\Users\Admin\AppData\Local\Temp\ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
  C:\Users\Admin\AppData\Local\Temp\ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Roaming\Update window.exe
    "C:\Users\Admin\AppData\Roaming\Update window.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Roaming\Update window.exe
      "C:\Users\Admin\AppData\Roaming\Update window.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Update window.exe" "Update window.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Roaming\Update window.exe

Filesize
65KB

MD5
7b6de1f4e80f5f0e56db56f2095ae7a0

SHA1
13ada473813ec380ba5ea8cfac2457a753d88b82

SHA256
ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027

SHA512
7259a557ee2f186887ec0e40c08fa7bf6fe51d7fb6b9a930c5a876afb5c1534efc3bd0b59d454ce2b6b54e914ced687b298c016c2e467dee090cf1c6365085ae

Download Submit
memory/1224-5-0x0000000005360000-0x000000000536A000-memory.dmp

Filesize
40KB

Download
memory/1224-23-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1224-4-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1224-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1224-6-0x00000000065B0000-0x000000000664C000-memory.dmp

Filesize
624KB

Download
memory/1224-7-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1224-21-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1224-1-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/1224-22-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1224-3-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/1224-2-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1224-26-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2008-40-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2008-41-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2008-57-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4876-24-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4876-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4876-39-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads