njrat | f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
151s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

486a44dd40852eb23aeca8e8951ffa61.exe
Size

54KB
MD5

486a44dd40852eb23aeca8e8951ffa61
SHA1

6fb6f73727522c1b67cf7db5853bd12e84226753
SHA256

ce834e57992c0f4579135e3313b176f2493712eaa6b5fd96aecd972b297d4c92
SHA512

d37587fc39fdf91a180f9b8b3cfdda6e804e28e82630428ca73205f70641a84e700a8f3558a928b31f59ad25d77364322e7fd5c0a37814fa21b8bcca66d6d6d4
SSDEEP

768:VyJZuIZ2Eslt0g5Xy3N3+dJSNXxWQG35bmaePD5PvPtXXJdxIEpmBg:Vyr1Gt0g5+NaGhWQcGDfX3xIEpmBg

Score

10^/10

njrat defense_evasion discovery execution persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e5cf16c381d2c6f9bd898a2b029e870.exe	486a44dd40852eb23aeca8e8951ffa61.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e5cf16c381d2c6f9bd898a2b029e870.exe	486a44dd40852eb23aeca8e8951ffa61.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e5cf16c381d2c6f9bd898a2b029e870 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\486a44dd40852eb23aeca8e8951ffa61.exe\" .."	486a44dd40852eb23aeca8e8951ffa61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5e5cf16c381d2c6f9bd898a2b029e870 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\486a44dd40852eb23aeca8e8951ffa61.exe\" .."	486a44dd40852eb23aeca8e8951ffa61.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2996	powershell.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2800	sc.exe
2612	sc.exe
2588	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	486a44dd40852eb23aeca8e8951ffa61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
944	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe
2840	486a44dd40852eb23aeca8e8951ffa61.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	486a44dd40852eb23aeca8e8951ffa61.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: 33	2840	486a44dd40852eb23aeca8e8951ffa61.exe
Token: SeIncBasePriorityPrivilege	2840	486a44dd40852eb23aeca8e8951ffa61.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2952	2840	486a44dd40852eb23aeca8e8951ffa61.exe	29
PID 2840 wrote to memory of 2952	2840	486a44dd40852eb23aeca8e8951ffa61.exe	29
PID 2840 wrote to memory of 2952	2840	486a44dd40852eb23aeca8e8951ffa61.exe	29
PID 2840 wrote to memory of 2952	2840	486a44dd40852eb23aeca8e8951ffa61.exe	29
PID 2840 wrote to memory of 1824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	31
PID 2840 wrote to memory of 1824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	31
PID 2840 wrote to memory of 1824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	31
PID 2840 wrote to memory of 1824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	31
PID 1824 wrote to memory of 2996	1824	cmd.exe	33
PID 1824 wrote to memory of 2996	1824	cmd.exe	33
PID 1824 wrote to memory of 2996	1824	cmd.exe	33
PID 1824 wrote to memory of 2996	1824	cmd.exe	33
PID 2840 wrote to memory of 2884	2840	486a44dd40852eb23aeca8e8951ffa61.exe	34
PID 2840 wrote to memory of 2884	2840	486a44dd40852eb23aeca8e8951ffa61.exe	34
PID 2840 wrote to memory of 2884	2840	486a44dd40852eb23aeca8e8951ffa61.exe	34
PID 2840 wrote to memory of 2884	2840	486a44dd40852eb23aeca8e8951ffa61.exe	34
PID 2884 wrote to memory of 2588	2884	cmd.exe	36
PID 2884 wrote to memory of 2588	2884	cmd.exe	36
PID 2884 wrote to memory of 2588	2884	cmd.exe	36
PID 2884 wrote to memory of 2588	2884	cmd.exe	36
PID 2840 wrote to memory of 2752	2840	486a44dd40852eb23aeca8e8951ffa61.exe	37
PID 2840 wrote to memory of 2752	2840	486a44dd40852eb23aeca8e8951ffa61.exe	37
PID 2840 wrote to memory of 2752	2840	486a44dd40852eb23aeca8e8951ffa61.exe	37
PID 2840 wrote to memory of 2752	2840	486a44dd40852eb23aeca8e8951ffa61.exe	37
PID 2752 wrote to memory of 2800	2752	cmd.exe	39
PID 2752 wrote to memory of 2800	2752	cmd.exe	39
PID 2752 wrote to memory of 2800	2752	cmd.exe	39
PID 2752 wrote to memory of 2800	2752	cmd.exe	39
PID 2840 wrote to memory of 2824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	40
PID 2840 wrote to memory of 2824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	40
PID 2840 wrote to memory of 2824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	40
PID 2840 wrote to memory of 2824	2840	486a44dd40852eb23aeca8e8951ffa61.exe	40
PID 2824 wrote to memory of 2612	2824	cmd.exe	42
PID 2824 wrote to memory of 2612	2824	cmd.exe	42
PID 2824 wrote to memory of 2612	2824	cmd.exe	42
PID 2824 wrote to memory of 2612	2824	cmd.exe	42
PID 2840 wrote to memory of 2256	2840	486a44dd40852eb23aeca8e8951ffa61.exe	43
PID 2840 wrote to memory of 2256	2840	486a44dd40852eb23aeca8e8951ffa61.exe	43
PID 2840 wrote to memory of 2256	2840	486a44dd40852eb23aeca8e8951ffa61.exe	43
PID 2840 wrote to memory of 2256	2840	486a44dd40852eb23aeca8e8951ffa61.exe	43
PID 2256 wrote to memory of 944	2256	cmd.exe	45
PID 2256 wrote to memory of 944	2256	cmd.exe	45
PID 2256 wrote to memory of 944	2256	cmd.exe	45
PID 2256 wrote to memory of 944	2256	cmd.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\486a44dd40852eb23aeca8e8951ffa61.exe
"C:\Users\Admin\AppData\Local\Temp\486a44dd40852eb23aeca8e8951ffa61.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\486a44dd40852eb23aeca8e8951ffa61.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc query windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc query windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc stop windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\sc.exe
    sc stop windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\sc.exe
    sc delete windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Google.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Google.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2840-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-5-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-6-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download