njrat | 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469

Analysis

max time kernel
118s
max time network
58s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/01/2025, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Size

56KB
MD5

4b6b9b9078efdea1d767e1bb8076e570
SHA1

2cefdc00441bab34f9026172fc4d19c15059b5c5
SHA256

481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469
SHA512

a38c4d9576e6f15341900a1e75057c0e0cc078ee3b3a8ce529a158d494c3a8067f79ba90f85d8a8d591c497a96130a451395efbafd087fc347e29fbd9b57188d
SSDEEP

1536:XvvqylRHMH/Jtakr8KCxEhDYcEb08+D9V2vPscW:fvVa+krSxuDIvi9+Psb

Score

10^/10

njrat evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2424	powershell.exe
2816	powershell.exe
2768	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2476	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2496	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
2252	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe

Loads dropped DLL 3 IoCs

pid	Process
1984	taskeng.exe
1984	taskeng.exe
1984	taskeng.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2424	powershell.exe
2816	powershell.exe
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeDebugPrivilege	2496	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeDebugPrivilege	2252	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: 33	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Token: SeIncBasePriorityPrivilege	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2424	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	31
PID 2380 wrote to memory of 2424	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	31
PID 2380 wrote to memory of 2424	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	31
PID 2380 wrote to memory of 2816	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	33
PID 2380 wrote to memory of 2816	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	33
PID 2380 wrote to memory of 2816	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	33
PID 2380 wrote to memory of 2768	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	35
PID 2380 wrote to memory of 2768	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	35
PID 2380 wrote to memory of 2768	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	35
PID 2380 wrote to memory of 2584	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	37
PID 2380 wrote to memory of 2584	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	37
PID 2380 wrote to memory of 2584	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	37
PID 2380 wrote to memory of 2476	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	39
PID 2380 wrote to memory of 2476	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	39
PID 2380 wrote to memory of 2476	2380	481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe	39
PID 1984 wrote to memory of 2496	1984	taskeng.exe	43
PID 1984 wrote to memory of 2496	1984	taskeng.exe	43
PID 1984 wrote to memory of 2496	1984	taskeng.exe	43
PID 1984 wrote to memory of 2252	1984	taskeng.exe	44
PID 1984 wrote to memory of 2252	1984	taskeng.exe	44
PID 1984 wrote to memory of 2252	1984	taskeng.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
"C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N" /tr "C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2584
- C:\Windows\system32\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe" "481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2476

C:\Windows\system32\taskeng.exe
taskeng.exe {3BC7D728-6FF5-4EE8-8FB2-3CCB10E9B661} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
  C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
  C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
30bf3d2c07b0615511a3ad647bd75e62

SHA1
3c7f82d777cf6bdfb024ff787a0e41dc27ff3e16

SHA256
fcd9f17c325fdec04f86bff064f4a18aa400bd0eff7ab9df5cbfeecf14a8fb35

SHA512
05d1217c77d18ebe6094b8b9a14f241c9e895d7a450a2a96108d70c6a9733e45118192b87d4d0a0b035fbd4222cae83ce539f022725ac5a726b1d232f1c31893

Download Submit
\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe

Filesize
56KB

MD5
4b6b9b9078efdea1d767e1bb8076e570

SHA1
2cefdc00441bab34f9026172fc4d19c15059b5c5

SHA256
481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469

SHA512
a38c4d9576e6f15341900a1e75057c0e0cc078ee3b3a8ce529a158d494c3a8067f79ba90f85d8a8d591c497a96130a451395efbafd087fc347e29fbd9b57188d

Download Submit
memory/2380-25-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2380-1-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2380-2-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2380-0-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

Filesize
4KB

Download
memory/2380-27-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2380-26-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2380-23-0x000000001E700000-0x000000001E70E000-memory.dmp

Filesize
56KB

Download
memory/2380-24-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

Filesize
4KB

Download
memory/2424-7-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2424-8-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2816-15-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2816-14-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download