njrat | 3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8

Analysis

max time kernel
194s
max time network
196s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

pisun.exe
Size

54KB
MD5

45140e967970cd63521eaa76dc4db7d7
SHA1

aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
SHA256

3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
SHA512

d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
SSDEEP

768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg

Score

10^/10

njrat bootkit discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
5436	97bbe48c71cf4ef3b995a057edeccda6.exe
3284	24c40794122946d4a9c3d3053ff05512.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	pisun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pisun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97bbe48c71cf4ef3b995a057edeccda6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "123"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	pisun.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: SeDebugPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe
Token: 33	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: SeIncBasePriorityPrivilege	5436	97bbe48c71cf4ef3b995a057edeccda6.exe
Token: 33	4932	pisun.exe
Token: SeIncBasePriorityPrivilege	4932	pisun.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4932	pisun.exe
4932	pisun.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	LogonUI.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 5436	4932	pisun.exe	79
PID 4932 wrote to memory of 5436	4932	pisun.exe	79
PID 4932 wrote to memory of 5436	4932	pisun.exe	79
PID 5436 wrote to memory of 5784	5436	97bbe48c71cf4ef3b995a057edeccda6.exe	83
PID 5436 wrote to memory of 5784	5436	97bbe48c71cf4ef3b995a057edeccda6.exe	83
PID 5436 wrote to memory of 5784	5436	97bbe48c71cf4ef3b995a057edeccda6.exe	83
PID 5784 wrote to memory of 3464	5784	cmd.exe	85
PID 5784 wrote to memory of 3464	5784	cmd.exe	85
PID 5784 wrote to memory of 3464	5784	cmd.exe	85
PID 4932 wrote to memory of 3284	4932	pisun.exe	87
PID 4932 wrote to memory of 3284	4932	pisun.exe	87

C:\Users\Admin\AppData\Local\Temp\pisun.exe
"C:\Users\Admin\AppData\Local\Temp\pisun.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\97bbe48c71cf4ef3b995a057edeccda6.exe
  "C:\Users\Admin\AppData\Local\Temp\97bbe48c71cf4ef3b995a057edeccda6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rundll32.exe user32.dll,LockWorkStation
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5784
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe user32.dll,LockWorkStation
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464
- C:\Users\Admin\AppData\Local\Temp\24c40794122946d4a9c3d3053ff05512.exe
  "C:\Users\Admin\AppData\Local\Temp\24c40794122946d4a9c3d3053ff05512.exe"
  2⤵
  - Executes dropped EXE
  PID:3284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x000000000000044C
1⤵
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1678082226-3994841222-899489560-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg

Filesize
62KB

MD5
6cb7e9f13c79d1dd975a8aa005ab0256

SHA1
eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

SHA256
af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

SHA512
3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

Download Submit
C:\Users\Admin\AppData\Local\Temp\24c40794122946d4a9c3d3053ff05512.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\97bbe48c71cf4ef3b995a057edeccda6.exe

Filesize
54KB

MD5
036b3d9a4d952a24395e7bb611c343fc

SHA1
c22e1bd6a08cb355af0916d071c1bca492b71948

SHA256
4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414

SHA512
2a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b

Download Submit
memory/3284-43-0x000000001B7E0000-0x000000001B886000-memory.dmp

Filesize
664KB

Download
memory/3284-47-0x000000001C560000-0x000000001C5AC000-memory.dmp

Filesize
304KB

Download
memory/3284-46-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/3284-45-0x000000001C390000-0x000000001C42C000-memory.dmp

Filesize
624KB

Download
memory/3284-44-0x000000001BE20000-0x000000001C2EE000-memory.dmp

Filesize
4.8MB

Download
memory/4932-2-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4932-5-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4932-3-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4932-51-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4932-4-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4932-17-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4932-0-0x00000000747B1000-0x00000000747B2000-memory.dmp

Filesize
4KB

Download
memory/4932-1-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-16-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-22-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-21-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-20-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-19-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-18-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-15-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-50-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/5436-14-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads