70fb510737bd37ba1fb52030168ac8ff45aedce4c0cf3694df1ac06d47ff026a

Analysis

max time kernel
19s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-01-2025 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NjRat. 0.7D.exe
Size

93KB
MD5

efd0042a248d7dca9967341071383a04
SHA1

b3084a67d98436d0dd0d4b3b7a553a8613d2f6ce
SHA256

70fb510737bd37ba1fb52030168ac8ff45aedce4c0cf3694df1ac06d47ff026a
SHA512

f2a5aab5324d66b517e290d2cad99f02098c5f47d349ffd552db96d061e7fc0fba3c71bd04ff6b66a0cc22c29056f3eb071f5b4b0e7683be8ac2889edb295be4
SSDEEP

768:BY3aCG4tCTpPchQRza90g5rxPXijj2TAuC4qu2XxrjEtCdnl2pi1Rz4Rk3+sGdpg:VCGKC9dzaGwrVJOzjEwzGi1dD6DGgS

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4284	netsh.exe
2200	netsh.exe
3272	netsh.exe
2880	netsh.exe
3968	netsh.exe
3252	netsh.exe

Deletes itself 1 IoCs

pid	Process
124	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
124	svchost.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	NjRat. 0.7D.exe
File opened for modification	C:\autorun.inf	NjRat. 0.7D.exe
File created	F:\autorun.inf	NjRat. 0.7D.exe
File opened for modification	F:\autorun.inf	NjRat. 0.7D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat. 0.7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe
3108	NjRat. 0.7D.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3108	NjRat. 0.7D.exe
124	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	NjRat. 0.7D.exe
Token: SeDebugPrivilege	124	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3252	3108	NjRat. 0.7D.exe	79
PID 3108 wrote to memory of 3252	3108	NjRat. 0.7D.exe	79
PID 3108 wrote to memory of 3252	3108	NjRat. 0.7D.exe	79
PID 3108 wrote to memory of 4284	3108	NjRat. 0.7D.exe	81
PID 3108 wrote to memory of 4284	3108	NjRat. 0.7D.exe	81
PID 3108 wrote to memory of 4284	3108	NjRat. 0.7D.exe	81
PID 3108 wrote to memory of 2200	3108	NjRat. 0.7D.exe	82
PID 3108 wrote to memory of 2200	3108	NjRat. 0.7D.exe	82
PID 3108 wrote to memory of 2200	3108	NjRat. 0.7D.exe	82
PID 3108 wrote to memory of 124	3108	NjRat. 0.7D.exe	85
PID 3108 wrote to memory of 124	3108	NjRat. 0.7D.exe	85
PID 3108 wrote to memory of 124	3108	NjRat. 0.7D.exe	85
PID 124 wrote to memory of 3272	124	svchost.exe	86
PID 124 wrote to memory of 3272	124	svchost.exe	86
PID 124 wrote to memory of 3272	124	svchost.exe	86
PID 124 wrote to memory of 2880	124	svchost.exe	88
PID 124 wrote to memory of 2880	124	svchost.exe	88
PID 124 wrote to memory of 2880	124	svchost.exe	88
PID 124 wrote to memory of 3968	124	svchost.exe	89
PID 124 wrote to memory of 3968	124	svchost.exe	89
PID 124 wrote to memory of 3968	124	svchost.exe	89
PID 124 wrote to memory of 3132	124	svchost.exe	90
PID 124 wrote to memory of 3132	124	svchost.exe	90
PID 124 wrote to memory of 3132	124	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\NjRat. 0.7D.exe
"C:\Users\Admin\AppData\Local\Temp\NjRat. 0.7D.exe"
1⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\NjRat. 0.7D.exe" "NjRat. 0.7D.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\NjRat. 0.7D.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4284
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\NjRat. 0.7D.exe" "NjRat. 0.7D.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:124
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3272
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
49B

MD5
93c044aa65e69f5010f5e658f4090ce3

SHA1
e3ee5501de7461f465a9d8470a7de4e1eadc8f4d

SHA256
1f9f1b4bf2be2298afab09c893dd69b67e33af86e9482d6758a82f4b551ac42f

SHA512
f76a39a5d8b2212560647b16d6514638daecc7400cd051c1ac1c7ad99682ff52a0f91025553a7bc21838cbd0c87faf36409f775f9716b8adb0c198037aff60a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
efd0042a248d7dca9967341071383a04

SHA1
b3084a67d98436d0dd0d4b3b7a553a8613d2f6ce

SHA256
70fb510737bd37ba1fb52030168ac8ff45aedce4c0cf3694df1ac06d47ff026a

SHA512
f2a5aab5324d66b517e290d2cad99f02098c5f47d349ffd552db96d061e7fc0fba3c71bd04ff6b66a0cc22c29056f3eb071f5b4b0e7683be8ac2889edb295be4

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
d43c5b07c128b116b7bc8faf7b8efa9d

SHA1
dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

SHA256
80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

SHA512
618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

Download Submit
memory/3108-0-0x0000000074F61000-0x0000000074F62000-memory.dmp

Filesize
4KB

Download
memory/3108-1-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3108-2-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3108-4-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3108-22-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3108-24-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download