njrat | 22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe
Size

505KB
MD5

af5e353de273a7b6f8b381b0c587a730
SHA1

7c4d908a23eff944247f82469517ddc1164f4ae0
SHA256

22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4
SHA512

2a20b193dcd292b2325030476ed9e89c947a658e0d5a059d3fb8ed3197d7fe546172e69323806dbc7936390caac12791f1592f1440053dca0c4e6170218e50cd
SSDEEP

12288:/LMEalqxXblqoRX5qbfphLxaOSoSDiFJ9e6sXr:zqaXNabfphLxaVpDir46sb

Score

10^/10

njrat lammer defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

ie-serving.gl.at.ply.gg:18976

Mutex

d386661cfe8f30c3a692533641b57806

Attributes

reg_key
d386661cfe8f30c3a692533641b57806
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1524	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe	explore.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe	explore.exe

Executes dropped EXE 5 IoCs

pid	Process
2792	o.exe
2876	Setup.exe
2676	Lammer.exe
2772	explore.exe
1032	Lammer2.exe

Loads dropped DLL 7 IoCs

pid	Process
2792	o.exe
2792	o.exe
2676	Lammer.exe
2676	Lammer.exe
2772	explore.exe
2792	o.exe
1032	Lammer2.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .."	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .."	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	o.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Setup.exe:Zone.Identifier	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Setup.exe:Zone.Identifier	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	Setup.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe
Token: SeRestorePrivilege	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe
Token: SeDebugPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe
Token: 33	2772	explore.exe
Token: SeIncBasePriorityPrivilege	2772	explore.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2792	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	30
PID 2736 wrote to memory of 2876	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	31
PID 2736 wrote to memory of 2876	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	31
PID 2736 wrote to memory of 2876	2736	22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe	31
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2792 wrote to memory of 2676	2792	o.exe	32
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2676 wrote to memory of 2772	2676	Lammer.exe	33
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2792 wrote to memory of 1032	2792	o.exe	34
PID 2772 wrote to memory of 1524	2772	explore.exe	35
PID 2772 wrote to memory of 1524	2772	explore.exe	35
PID 2772 wrote to memory of 1524	2772	explore.exe	35
PID 2772 wrote to memory of 1524	2772	explore.exe	35
PID 2772 wrote to memory of 1524	2772	explore.exe	35
PID 2772 wrote to memory of 1524	2772	explore.exe	35
PID 2772 wrote to memory of 1524	2772	explore.exe	35

C:\Users\Admin\AppData\Local\Temp\22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe
"C:\Users\Admin\AppData\Local\Temp\22c71fd420809a211e3b9a48db956729c12facae56f564ec42ded0c5486b24a4.exe"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\o.exe
  "C:\Users\Admin\AppData\Local\Temp\o.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Roaming\explore.exe
      "C:\Users\Admin\AppData\Roaming\explore.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explore.exe" "explore.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1524
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1032
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
266KB

MD5
08f60cc9834ea6aa7a0debb5a9f31596

SHA1
c5648fad6c56ee9709ef43ccbedb7c8eb5e1c765

SHA256
012b2fcc90e10eea3a4cae76faaedeb0a0577aa62925ad098c9dd8b6e610e97f

SHA512
649d7d0ecbe3cd8d3dbf649ff2389e9c88e094401a64b60429c6142c20f959c183a503245007d3bb5af80d223508298ee5750057c1279f4874942996bb5d4d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.EXE

Filesize
48KB

MD5
03b12486c36846766a9561ec3c5c9e02

SHA1
90e1cca77e2677b039723b8b90a608268f9039ca

SHA256
fd6dc8ab632954feaa9eb3cf6ed01095cc96bd2d3f4865e1422ff38441e09a19

SHA512
9b26e82a4dba4cc9947551a580465e6178d918767cae59d3079d531b2f7f8e71a0ab79d9d5c8b345f7f646c00072d830bad20f2c454d04c37995ed2703888537

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe

Filesize
23KB

MD5
6cc7ee74c76296b93ef955e2dedbef0f

SHA1
0c57c1ba492cb134f0fdcb0423ab51b727b0c56c

SHA256
637f214d4704cb7d775587f81318f3e7bfa25ea9449b2f23f544d48c339b0117

SHA512
5e9897fc8fd114a6f7165972a0a4350d5d5e5efe9b3820cc2aba859471d1df8f32c6ce0b044ad487036774a14cf8e350a3da94a1801e37b4f7976bda16e5ffe9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer2.exe

Filesize
23KB

MD5
9eba4d0ebd99b6f937e5e5c33c68f92e

SHA1
35272712e607e459ebe26ad2c4064599a1c796a4

SHA256
6fc709b8016861b2edcf868274c32f9b8706a3915459456762ad8317b4c32c7b

SHA512
94c02c5a76342dc7097d6ba43fb65bcf296ea03399d897ce9a690f93f352e4d7df31604a6d5124557236841ae881d3c91e63b9e4ca9eca252f0c383ba1ddfa3a

Download Submit
memory/2792-67-0x0000000000230000-0x0000000000258000-memory.dmp

Filesize
160KB

Download
memory/2792-22-0x0000000001000000-0x000000000102727F-memory.dmp

Filesize
156KB

Download
memory/2792-69-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2792-35-0x0000000001000000-0x000000000102727F-memory.dmp

Filesize
156KB

Download
memory/2792-68-0x0000000001000000-0x000000000102727F-memory.dmp

Filesize
156KB

Download
memory/2792-50-0x0000000001000000-0x000000000102727F-memory.dmp

Filesize
156KB

Download
memory/2792-49-0x0000000001021000-0x0000000001022000-memory.dmp

Filesize
4KB

Download
memory/2792-48-0x0000000000230000-0x0000000000258000-memory.dmp

Filesize
160KB

Download
memory/2876-51-0x000007FEF581E000-0x000007FEF581F000-memory.dmp

Filesize
4KB

Download
memory/2876-66-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-47-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-33-0x000007FEF581E000-0x000007FEF581F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads