njrat | b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

a9ba2416df448c5f3b36581ecfa4cd31
SHA1

105592c84c83cbf4e6f7b6978ecb6d37c99440b7
SHA256

b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf
SHA512

456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3
SSDEEP

768:+Y3DCdhWXxyFcxovUKUJuROprXtgN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3GsGdpQgM:hCzWhIUKcuOJXPhBjEwzGi1dDiDQgS

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5513

Mutex

67364a37f43593883a7b70eb2426799a

Attributes

reg_key
67364a37f43593883a7b70eb2426799a
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4964	netsh.exe
2412	netsh.exe
4488	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	Server.exe

Executes dropped EXE 2 IoCs

pid	Process
3156	StUpdate.exe
4760	StUpdate.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe
1000	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1000	Server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe
Token: 33	1000	Server.exe
Token: SeIncBasePriorityPrivilege	1000	Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4964	1000	Server.exe	82
PID 1000 wrote to memory of 4964	1000	Server.exe	82
PID 1000 wrote to memory of 4964	1000	Server.exe	82
PID 1000 wrote to memory of 4488	1000	Server.exe	84
PID 1000 wrote to memory of 4488	1000	Server.exe	84
PID 1000 wrote to memory of 4488	1000	Server.exe	84
PID 1000 wrote to memory of 2412	1000	Server.exe	85
PID 1000 wrote to memory of 2412	1000	Server.exe	85
PID 1000 wrote to memory of 2412	1000	Server.exe	85
PID 1000 wrote to memory of 1120	1000	Server.exe	86
PID 1000 wrote to memory of 1120	1000	Server.exe	86
PID 1000 wrote to memory of 1120	1000	Server.exe	86

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4488
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1120

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe

Filesize
93KB

MD5
a9ba2416df448c5f3b36581ecfa4cd31

SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7

SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
memory/1000-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/1000-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-8-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/1000-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-10-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download