| File name: | memory.hta |
| Full analysis: | https://app.any.run/tasks/f426680a-bb71-4237-9c41-85a239a6a937 |
| Verdict: | Malicious activity |
| Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
| Analysis date: | March 29, 2024, 19:05:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/html |
| File info: | HTML document, ASCII text, with CRLF line terminators |
| MD5: | 5A97E8FB343599259895D924D9B7D9C4 |
| SHA1: | F5BE98B7569B5514B4ADD1EA8E6FB0673A2757BE |
| SHA256: | 1829F45A208AAF2C65661FC963249761680A651D512DB4F5F8DFEF5BE6397020 |
| SSDEEP: | 24:hMNmMvy4GqptE0ia5Sa7p8xuY8y+mhY8r88+M8E4olEC:ImMqopO0Jocd4+N8Xt40F |
MALICIOUS
Downloads files via BITSADMIN.EXE
- mshta.exe (PID: 2648)
Drops the executable file immediately after the start
- njhor.exe (PID: 2888)
- dllhost.exe (PID: 2096)
NjRAT is detected
- njhor.exe (PID: 2888)
- dllhost.exe (PID: 2096)
Starts SC.EXE for service management
- cmd.exe (PID: 1936)
- cmd.exe (PID: 2640)
Create files in the Startup directory
- dllhost.exe (PID: 2096)
Changes the autorun value in the registry
- dllhost.exe (PID: 2096)
UAC/LUA settings modification
- reg.exe (PID: 3252)
Windows Defender preferences modified via 'Set-MpPreference'
- cmd.exe (PID: 3496)
SUSPICIOUS
Reads the Internet Settings
- mshta.exe (PID: 2648)
- njhor.exe (PID: 2888)
- powershell.exe (PID: 1544)
- dllhost.exe (PID: 2096)
Uses ATTRIB.EXE to modify file attributes
- dllhost.exe (PID: 2096)
Creates file in the systems drive root
- njhor.exe (PID: 2888)
- dllhost.exe (PID: 2096)
Starts itself from another location
- njhor.exe (PID: 2888)
The process creates files with name similar to system file names
- njhor.exe (PID: 2888)
Runs shell command (SCRIPT)
- mshta.exe (PID: 2648)
Reads security settings of Internet Explorer
- njhor.exe (PID: 2888)
Starts CMD.EXE for commands execution
- dllhost.exe (PID: 2096)
Starts SC.EXE for service management
- cmd.exe (PID: 2020)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2068)
Script disables Windows Defender's real-time protection
- cmd.exe (PID: 3496)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 3496)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 1544)
Reads settings of System Certificates
- dllhost.exe (PID: 2096)
Connects to unusual port
- dllhost.exe (PID: 2096)
INFO
Checks supported languages
- njhor.exe (PID: 2888)
- dllhost.exe (PID: 2096)
Reads the computer name
- njhor.exe (PID: 2888)
- dllhost.exe (PID: 2096)
Reads Internet Explorer settings
- mshta.exe (PID: 2648)
Manual execution by a user
- taskmgr.exe (PID: 2372)
Create files in a temporary directory
- njhor.exe (PID: 2888)
Reads the machine GUID from the registry
- njhor.exe (PID: 2888)
- dllhost.exe (PID: 2096)
Creates files or folders in the user directory
- dllhost.exe (PID: 2096)
Reads Environment values
- dllhost.exe (PID: 2096)
Reads the software policy settings
- dllhost.exe (PID: 2096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .htm/html | | | HyperText Markup Language with DOCTYPE (80.6) |
|---|---|---|
| .html | | | HyperText Markup Language (19.3) |
EXIF
HTML
| ContentType: | text/html; charset=utf-8 |
|---|
Total processes
64
Monitored processes
17
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1216 | sc delete windefend | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1544 | powershell Set-MpPreference -DisableRealtimeMonitoring $true | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1768 | "C:\Users\admin\AppData\Roaming\njhor.exe" | C:\Users\admin\AppData\Roaming\njhor.exe | — | mshta.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 1936 | cmd /c sc stop windefend | C:\Windows\System32\cmd.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1062 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2020 | cmd /c sc query windefend | C:\Windows\System32\cmd.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2068 | cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f | C:\Windows\System32\cmd.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2096 | "C:\Users\admin\AppData\Local\Temp\dllhost.exe" | C:\Users\admin\AppData\Local\Temp\dllhost.exe | njhor.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 2348 | sc query windefend | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2372 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2396 | sc stop windefend | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 1062 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
12 566
Read events
12 479
Write events
84
Delete events
3
Modification events
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2648) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2888) njhor.exe | Key: | HKEY_CURRENT_USER |
| Operation: | write | Name: | di |
Value: ! | |||
| (PID) Process: | (2888) njhor.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2888) njhor.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
3
Suspicious files
1
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2888 | njhor.exe | C:\ClickMe.exe | executable | |
MD5:— | SHA256:— | |||
| 2888 | njhor.exe | C:\Users\admin\AppData\Local\Temp\dllhost.exe | executable | |
MD5:— | SHA256:— | |||
| 1544 | powershell.exe | C:\Users\admin\AppData\Local\Temp\lfj0qkee.444.ps1 | binary | |
MD5:— | SHA256:— | |||
| 1544 | powershell.exe | C:\Users\admin\AppData\Local\Temp\sewurws2.0wz.psm1 | binary | |
MD5:— | SHA256:— | |||
| 1544 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:— | SHA256:— | |||
| 2096 | dllhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\831d4cfc6d5fa0b87088ffcee117e046.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
4
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
956 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
856 | svchost.exe | 140.82.121.3:443 | github.com | GITHUB | US | unknown |
856 | svchost.exe | 185.199.110.133:443 | raw.githubusercontent.com | FASTLY | US | unknown |
2096 | dllhost.exe | 104.20.68.143:443 | pastebin.com | CLOUDFLARENET | — | unknown |
2096 | dllhost.exe | 3.67.112.102:13052 | 5.tcp.eu.ngrok.io | AMAZON-02 | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
github.com |
| shared |
raw.githubusercontent.com |
| shared |
pastebin.com |
| shared |
5.tcp.eu.ngrok.io |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |