njrat | 1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
Size

10.3MB
MD5

41027641808a1da816718b483812fbf0
SHA1

1cd8602d5b53ce59e2545ab9b02df4da62af6860
SHA256

1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc
SHA512

7f11e1e3329ea702c98b886b7fa7c36ec14bcd6757ca498172fd4891e4db88a2eea0f05a3c604e1e5fbddd8830e265b7829e8321d56a940c6e9240f71df3f7ea
SSDEEP

196608:X8k6KKGQqCdWKSrGAKqGiuP0EUBBzpE+q:MWN7GB640lzprq

Score

10^/10

njrat hacked discovery persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

on-weighted.gl.at.ply.gg:15883

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Deletes itself 1 IoCs

pid	Process
2732	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.exe	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
2816	Crack.exe
2820	Deushack.exe
2680	Deushack.exe
1196	Process not Found
3024	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
2820	Deushack.exe
2680	Deushack.exe
1196	Process not Found
2816	Crack.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000186ed-38.dat	upx
behavioral1/memory/2680-41-0x000007FEF6840000-0x000007FEF6E29000-memory.dmp	upx
behavioral1/memory/2680-54-0x000007FEF6840000-0x000007FEF6E29000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2816	Crack.exe
3024	svchost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe
Token: 33	3024	svchost.exe
Token: SeIncBasePriorityPrivilege	3024	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2816	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	30
PID 2764 wrote to memory of 2816	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	30
PID 2764 wrote to memory of 2816	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	30
PID 2764 wrote to memory of 2816	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	30
PID 2764 wrote to memory of 2820	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	31
PID 2764 wrote to memory of 2820	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	31
PID 2764 wrote to memory of 2820	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	31
PID 2764 wrote to memory of 2820	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	31
PID 2820 wrote to memory of 2680	2820	Deushack.exe	32
PID 2820 wrote to memory of 2680	2820	Deushack.exe	32
PID 2820 wrote to memory of 2680	2820	Deushack.exe	32
PID 2764 wrote to memory of 2732	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	33
PID 2764 wrote to memory of 2732	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	33
PID 2764 wrote to memory of 2732	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	33
PID 2764 wrote to memory of 2732	2764	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	33
PID 2816 wrote to memory of 3024	2816	Crack.exe	35
PID 2816 wrote to memory of 3024	2816	Crack.exe	35
PID 2816 wrote to memory of 3024	2816	Crack.exe	35
PID 2816 wrote to memory of 3024	2816	Crack.exe	35

C:\Users\Admin\AppData\Local\Temp\1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
"C:\Users\Admin\AppData\Local\Temp\1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Crack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\Deushack.exe
  "C:\Users\Admin\AppData\Local\Temp\Deushack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Deushack.exe
    "C:\Users\Admin\AppData\Local\Temp\Deushack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
43KB

MD5
f3c028ab76f81aebe027ae01513cb25f

SHA1
a74c36c9a75b635fa670c4849a877ba2a86c16a1

SHA256
b1a05960d78ed944e1d752631ee6dffd73a51d54122d44d2d9cca9d18d3fd6a3

SHA512
f5d0fe26c19fae97cbee042adc3507b7d4805ab3cbdfff56506608d1824eb8993da4bb817ab4f4e9d4bd05673ae7a4694c40bc8a08f6db05794632ca316fb504

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deushack.exe

Filesize
6.8MB

MD5
34664a7f49dc5a56c520129cec5d0ae6

SHA1
c3cb6a7fb93c00bc00c35e3f5321bc6084f4f133

SHA256
be2178ff14d3d0cb877a1a6e6f235727388bf3c4d394b97836bce383af658a7b

SHA512
e9a021c59ab5ee073928c575369256bc82067b1196b10ce15acce3a6e280e5ac957cba2692baab117c353c2c4ee30b0cc9352577f91acec59297b59c67f97455

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28202\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
memory/2680-41-0x000007FEF6840000-0x000007FEF6E29000-memory.dmp

Filesize
5.9MB

Download
memory/2680-54-0x000007FEF6840000-0x000007FEF6E29000-memory.dmp

Filesize
5.9MB

Download
memory/2764-0-0x0000000000400000-0x0000000000E5A000-memory.dmp

Filesize
10.4MB

Download
memory/2816-37-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/3024-53-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download