Overview

overview

10

Static

static

3

22497ED359...6B.exe

windows7-x64

10

22497ED359...6B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22497ED35962BA4106D6CD6751AFD06B.exe

  • Size

    333KB

  • MD5

    22497ed35962ba4106d6cd6751afd06b

  • SHA1

    2010377a9652e65e3e3cce583b06b2232857d8bf

  • SHA256

    4ec0ed4f04a5e091eb8b2f9189e4e6f50dc5c107c3d47e69691fda901a2e0686

  • SHA512

    f2f2dd11679619363be076d33d2147f5ff6c248b378e4fdd2b2e688c3e1a4d32d8287f38f4d313170aae50390c909d3fcef2d9cdf0c58cc66b2df2045518cc52

  • SSDEEP

    6144:vnJMBDdqCP+Y+RJ92nf5O3lPXhRVtGJYub8Upa61MbRDI0zzx/vnG2pFgLbW:vniBB+RJ92nfo3BhRVMBGvOW

Score
10/10
njrathackeddefense_evasionevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

leechon.hackcrack.io:1111

Mutex

Bluetooth Uninstall Device Task

Attributes
  • reg_key

    Bluetooth Uninstall Device Task

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell and hide display window.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22497ED35962BA4106D6CD6751AFD06B.exe
    "C:\Users\Admin\AppData\Local\Temp\22497ED35962BA4106D6CD6751AFD06B.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3680
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\0je2zicf.inf
      2⤵
        PID:3176
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bthudtask.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bthudtask.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\SYSTEM32\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bthudtask.exe" "bthudtask.exe" ENABLE
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4452
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3332
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2476
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:5080
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3404
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:516
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4024

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Window

    1
    T1564.003

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0je2zicf.inf
      Filesize

      619B

      MD5

      6f1420f2133f3e08fd8cdea0e1f5fe27

      SHA1

      3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

      SHA256

      aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

      SHA512

      d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yg2dbii0.dlv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bthudtask.exe
      Filesize

      333KB

      MD5

      22497ed35962ba4106d6cd6751afd06b

      SHA1

      2010377a9652e65e3e3cce583b06b2232857d8bf

      SHA256

      4ec0ed4f04a5e091eb8b2f9189e4e6f50dc5c107c3d47e69691fda901a2e0686

      SHA512

      f2f2dd11679619363be076d33d2147f5ff6c248b378e4fdd2b2e688c3e1a4d32d8287f38f4d313170aae50390c909d3fcef2d9cdf0c58cc66b2df2045518cc52

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      Filesize

      84KB

      MD5

      15ee95bc8e2e65416f2a30cf05ef9c2e

      SHA1

      107ca99d3414642450dec196febcd787ac8d7596

      SHA256

      c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

      SHA512

      ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

      Download Submit

    • memory/1476-127-0x000000001C520000-0x000000001C582000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2312-29-0x0000025B716F0000-0x0000025B71712000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3680-9-0x000000001BE70000-0x000000001BF0C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3680-10-0x0000000001490000-0x0000000001498000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3680-1-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3680-126-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3680-15-0x0000000001820000-0x000000000182C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3680-2-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3680-11-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3680-111-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3680-0-0x00007FFDBF6E5000-0x00007FFDBF6E6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3680-6-0x000000001C8C0000-0x000000001CD8E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3680-3-0x000000001C270000-0x000000001C316000-memory.dmp

      Filesize

      664KB

      Download

    • memory/3680-110-0x00007FFDBF6E5000-0x00007FFDBF6E6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4152-16-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4152-14-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4152-19-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4152-17-0x00007FFDBF430000-0x00007FFDBFDD1000-memory.dmp

      Filesize

      9.6MB

      Download