njrat | 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Size

506KB
MD5

cea8687c16ca4de232b21a53308714d3
SHA1

88d8fbf3e679fa2c081e79d9b561d31b8a359538
SHA256

621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
SHA512

e09aedf77f7eedd2e49825bda4ac6e966c301135419d857df2e2c86d78c82c48d09609ed6b6937a5f4582276395bd22f8d51fd1ab3e84e287edac207e8942b3f
SSDEEP

12288:/LMEalqxXblqoRX5qbfphLxaOSoSDi7mbsG46w:zqaXNabfphLxaVpDiiQ9

Score

10^/10

njrat lammer lammer1 defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

ie-serving.gl.at.ply.gg:18976

Mutex

d386661cfe8f30c3a692533641b57806

Attributes

reg_key
d386661cfe8f30c3a692533641b57806
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer1

ie-serving.gl.at.ply.gg:18976

Mutex

82f896a33c031e162176bdb24630461b

Attributes

reg_key
82f896a33c031e162176bdb24630461b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4524	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Lammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe	explore.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe	explore.exe

Executes dropped EXE 5 IoCs

pid	Process
2348	crackreado.exe
4032	vn.exe
1372	Lammer.exe
2540	explore.exe
3528	Lammer1.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .."	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .."	explore.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\crackreado.exe:Zone.Identifier	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\crackreado.exe:Zone.Identifier	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Token: SeRestorePrivilege	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Token: SeDebugPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe
Token: 33	2540	explore.exe
Token: SeIncBasePriorityPrivilege	2540	explore.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2348	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	82
PID 4456 wrote to memory of 2348	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	82
PID 4456 wrote to memory of 4032	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	84
PID 4456 wrote to memory of 4032	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	84
PID 4456 wrote to memory of 4032	4456	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	84
PID 4032 wrote to memory of 1372	4032	vn.exe	85
PID 4032 wrote to memory of 1372	4032	vn.exe	85
PID 4032 wrote to memory of 1372	4032	vn.exe	85
PID 1372 wrote to memory of 2540	1372	Lammer.exe	90
PID 1372 wrote to memory of 2540	1372	Lammer.exe	90
PID 1372 wrote to memory of 2540	1372	Lammer.exe	90
PID 4032 wrote to memory of 3528	4032	vn.exe	91
PID 4032 wrote to memory of 3528	4032	vn.exe	91
PID 4032 wrote to memory of 3528	4032	vn.exe	91
PID 2540 wrote to memory of 4524	2540	explore.exe	95
PID 2540 wrote to memory of 4524	2540	explore.exe	95
PID 2540 wrote to memory of 4524	2540	explore.exe	95

C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
"C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe"
1⤵
- Checks computer location settings
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\crackreado.exe
  "C:\Users\Admin\AppData\Local\Temp\crackreado.exe"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\vn.exe
  "C:\Users\Admin\AppData\Local\Temp\vn.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Roaming\explore.exe
      "C:\Users\Admin\AppData\Roaming\explore.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explore.exe" "explore.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4524
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe

Filesize
23KB

MD5
26faf73fe025e21d49eb7d6d93146937

SHA1
0656911baa4e191c64e62bc8636f9dd9b4f3ac92

SHA256
ed3104c51ae7ce3a6ae62641c6bfbc5094a73eac53e6ca6706434e0815053195

SHA512
e7d0fa3cfe3bcd8ad36c01b132a463a1570f49fa3aa019d66e41359c49b2c88ef7af6a48a4de9bbe1f95c3b5840606514afca4011d836446c82ec5a0c1e83a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe

Filesize
23KB

MD5
6e21d078457153d26ad7bba875c27266

SHA1
021b8de05fd173c442445fdb7a2c35e6c55c22e4

SHA256
a80d4c357c01acdf27602109d41827da153c712d5ddc8dce1f19723257fd7e2f

SHA512
bf390204b31f532f94965c283210280fbbb47b5d5150825a8648362fb5443dc2d0df98b6bf9d8b0da8d8a273688b7252ed6043081ad545c1109f2cb4c65e6ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\crackreado.exe

Filesize
266KB

MD5
08f60cc9834ea6aa7a0debb5a9f31596

SHA1
c5648fad6c56ee9709ef43ccbedb7c8eb5e1c765

SHA256
012b2fcc90e10eea3a4cae76faaedeb0a0577aa62925ad098c9dd8b6e610e97f

SHA512
649d7d0ecbe3cd8d3dbf649ff2389e9c88e094401a64b60429c6142c20f959c183a503245007d3bb5af80d223508298ee5750057c1279f4874942996bb5d4d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vn.EXE

Filesize
49KB

MD5
ad82a9592cf1049cc41e09a5ded58087

SHA1
6c609e53570e6c681889e6ef8a125f3ea06dbd68

SHA256
ca36c45944b74585a60c05e618ab6bf891935f78f0137ccb27d23f2be13ca13f

SHA512
d96a40310057a7f4cd649fcc38d4d5b377b7a21ae3fd8d2941eb027eb8c107440f9d3bbd5cc67a701f40d4674f3df549dc96b2b0d0d68f592d1ece98bb4021bb

Download Submit
memory/2348-48-0x000000001C5F0000-0x000000001C63C000-memory.dmp

Filesize
304KB

Download
memory/2348-62-0x00007FFD9A925000-0x00007FFD9A926000-memory.dmp

Filesize
4KB

Download
memory/2348-40-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

Filesize
9.6MB

Download
memory/2348-42-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

Filesize
9.6MB

Download
memory/2348-33-0x000000001B9A0000-0x000000001BA46000-memory.dmp

Filesize
664KB

Download
memory/2348-45-0x000000001BF20000-0x000000001C3EE000-memory.dmp

Filesize
4.8MB

Download
memory/2348-46-0x000000001C490000-0x000000001C52C000-memory.dmp

Filesize
624KB

Download
memory/2348-47-0x0000000001250000-0x0000000001258000-memory.dmp

Filesize
32KB

Download
memory/2348-32-0x00007FFD9A925000-0x00007FFD9A926000-memory.dmp

Filesize
4KB

Download
memory/2348-63-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

Filesize
9.6MB

Download
memory/4032-34-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download
memory/4032-61-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download
memory/4032-30-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download
memory/4032-65-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads