njrat | 9d3464e5add1b15adb7ae7f0045b3071373bb05674c4204fc87b62c3235b4098

Analysis

max time kernel
150s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newiomatrix.exe
Size

1.5MB
MD5

b178a5306528a045601b6f8a3052961c
SHA1

e0df3d88db56391bfb525b1f5e67e2589f9f819a
SHA256

9d3464e5add1b15adb7ae7f0045b3071373bb05674c4204fc87b62c3235b4098
SHA512

0d1c78ed74be8521ad04ea8196712e6944aa8f5db60e49e1da475bc8cdc7673f9d8b848a8373099c120c24dba0734908021d71e7340b6d1c8c19984494bb5e6a
SSDEEP

49152:VBn/d2dDeFH/dmi1oSGvZzlO+QaYdQ7Qg0q+SsMo:VBnlmDe3mcT0Qg0qBsM

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	newuimatrix.exe

Executes dropped EXE 3 IoCs

pid	Process
4400	WindowsApp1.exe
2696	newuimatrix.exe
4928	.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2696	newuimatrix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe
4928	.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	WindowsApp1.exe
Token: SeDebugPrivilege	4928	.exe
Token: SeDebugPrivilege	2696	newuimatrix.exe
Token: SeDebugPrivilege	2696	newuimatrix.exe
Token: SeLoadDriverPrivilege	2696	newuimatrix.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: SeShutdownPrivilege	3240	Process not Found
Token: SeCreatePagefilePrivilege	3240	Process not Found
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe
Token: 33	4928	.exe
Token: SeIncBasePriorityPrivilege	4928	.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
464	MiniSearchHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3240	Process not Found

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4400	4936	newiomatrix.exe	79
PID 4936 wrote to memory of 4400	4936	newiomatrix.exe	79
PID 4936 wrote to memory of 2696	4936	newiomatrix.exe	80
PID 4936 wrote to memory of 2696	4936	newiomatrix.exe	80
PID 4400 wrote to memory of 4928	4400	WindowsApp1.exe	82
PID 4400 wrote to memory of 4928	4400	WindowsApp1.exe	82
PID 4400 wrote to memory of 4928	4400	WindowsApp1.exe	82

C:\Users\Admin\AppData\Local\Temp\newiomatrix.exe
"C:\Users\Admin\AppData\Local\Temp\newiomatrix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- C:\Users\Admin\AppData\Local\Temp\newuimatrix.exe
  "C:\Users\Admin\AppData\Local\Temp\newuimatrix.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2696

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d6d3499e5dfe058db4af5745e6885661

SHA1
ef47b148302484d5ab98320962d62565f88fcc18

SHA256
7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

SHA512
ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
55KB

MD5
fe4849ffa249f098453928e596143044

SHA1
4301caaabac0964578d5c4a52b7d25bcdd6b2964

SHA256
1909cf2bc27f34cff7808a3c17201407f3db168fb47be16bbbd350757710c63c

SHA512
fca385842a615267ff627a050b9c772d2d1bcb097a3dea8b27deecce8de504fa22d64ca15b8098f45c1760a7b665faa45dbddae308d11d62e6f30b9e354e4f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe

Filesize
291KB

MD5
3693bc9a8fd8f0156d259498aa1b942a

SHA1
2815628498375d5b9bb07b1ab0a0980cda1a1c29

SHA256
e04472ae9698bdd154f51e10f33e3aa79f5c71fcec3018d273fa56816ceba173

SHA512
04b568d100016aef533af800f92d7e1bfdf3ee3b8231e6bf5320b1a07ddf3121346b83f11134c9c49bedd73ea5e3f5b43e60dff162823d1ddcb4401992bcb11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\newuimatrix.exe

Filesize
1.9MB

MD5
fa6bdfabbe8c6fe01b12168d72e526b9

SHA1
aeb70bb39c9d3b2a50198a77e79f8781d91638e9

SHA256
01829947ad26af6d7ca1922c0539c37a76d4d4aa3cff56b87825b935df015e14

SHA512
d70421ddc9ea3be6aeadb9cfa6a0ecce9373c2014edd60783e0d19c0f412959245fb85472268c3b75fb02f114389831e7d2c84fbf3537ccc401a7e5eb6ecb07f

Download Submit
memory/2696-30-0x00007FF740700000-0x00007FF7408F5000-memory.dmp

Filesize
2.0MB

Download
memory/2696-47-0x000002408BF90000-0x000002408BF91000-memory.dmp

Filesize
4KB

Download
memory/2696-46-0x000002408CD60000-0x000002408D9A7000-memory.dmp

Filesize
12.3MB

Download
memory/2696-48-0x000002408CD60000-0x000002408D9A7000-memory.dmp

Filesize
12.3MB

Download
memory/2696-50-0x000002408CD60000-0x000002408D9A7000-memory.dmp

Filesize
12.3MB

Download
memory/2696-57-0x00007FF740700000-0x00007FF7408F5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-32-0x000000001BDC0000-0x000000001BE66000-memory.dmp

Filesize
664KB

Download
memory/4400-33-0x000000001D830000-0x000000001DCFE000-memory.dmp

Filesize
4.8MB

Download
memory/4400-34-0x000000001BC70000-0x000000001BD0C000-memory.dmp

Filesize
624KB

Download
memory/4936-0-0x00007FFFCB093000-0x00007FFFCB095000-memory.dmp

Filesize
8KB

Download
memory/4936-1-0x0000000000310000-0x0000000000498000-memory.dmp

Filesize
1.5MB

Download