Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en -
submitted
08-09-2021 22:00
Static task
static1
Behavioral task
behavioral1
Sample
aa652fc67ec4c4353b9a5562c9ec0d21.exe
Resource
win7-en
General
-
Target
aa652fc67ec4c4353b9a5562c9ec0d21.exe
-
Size
816KB
-
MD5
aa652fc67ec4c4353b9a5562c9ec0d21
-
SHA1
1dea45515e03d1f561e5a31a1859aea7aa05bd62
-
SHA256
ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d
-
SHA512
eddb0fa378f4d4f9aa1ab0eee44705024e89d6bd2c09a313f60b2203f7cf52c2e66909154c4a176bf865da1c211ddcbe1d9b12224125e44eb6ee70e0c61e4e09
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
gbarpresencewriterprint.duckdns.org:8651
682708ec68e74
-
reg_key
682708ec68e74
-
splitter
@!#&^%$
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa652fc67ec4c4353b9a5562c9ec0d21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa652fc67ec4c4353b9a5562c9ec0d21.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aa652fc67ec4c4353b9a5562c9ec0d21.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aa652fc67ec4c4353b9a5562c9ec0d21.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription pid process target process PID 1188 set thread context of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeaa652fc67ec4c4353b9a5562c9ec0d21.exepowershell.exepid process 1484 powershell.exe 1112 powershell.exe 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe 1172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
powershell.exepowershell.exeaa652fc67ec4c4353b9a5562c9ec0d21.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe Token: 33 1620 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1620 RegSvcs.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription pid process target process PID 1188 wrote to memory of 1112 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1112 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1112 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1112 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1484 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1484 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1484 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1484 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1800 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1188 wrote to memory of 1800 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1188 wrote to memory of 1800 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1188 wrote to memory of 1800 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1188 wrote to memory of 1172 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1172 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1172 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1172 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1188 wrote to memory of 1620 1188 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BkueKqkOElUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBC4.tmpMD5
c84441b9b283f651bd456039ac24bb0e
SHA1fb4f30d009ce333d1221b058fd094bb3e8bad0fb
SHA25640847b5b59cd96e5cc9c90351c011352f0ba69b9947af8fde01c99cfe4d937dc
SHA5123e83e827012d2cba79058c585532329fdcc1ca0eed61a8c1d2dfebaa01c0ced69153846558316bb939fc79e7b0ee2b208bd8153287e09c4ee161e119d0c8c25f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
91d836fcb8358aa9d4426c08a95cdc3d
SHA161c5fd96569ff8444dc4c82c69897033351fc7b9
SHA25673bca7bf32c7c157f0d4d10f65d31b14abcbdadb99cb2c879ba02c3e0fe99963
SHA512d55ea69781d86f45a022256139bc25857cc8ddab619d2c7591fb6ed861b9a078be08cc16fc4eff4567f4f908eb7ef4f058011054c6846b89e8a4f7305bda2d8d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
91d836fcb8358aa9d4426c08a95cdc3d
SHA161c5fd96569ff8444dc4c82c69897033351fc7b9
SHA25673bca7bf32c7c157f0d4d10f65d31b14abcbdadb99cb2c879ba02c3e0fe99963
SHA512d55ea69781d86f45a022256139bc25857cc8ddab619d2c7591fb6ed861b9a078be08cc16fc4eff4567f4f908eb7ef4f058011054c6846b89e8a4f7305bda2d8d
-
memory/1112-73-0x0000000002400000-0x000000000304A000-memory.dmpFilesize
12.3MB
-
memory/1112-68-0x0000000002400000-0x000000000304A000-memory.dmpFilesize
12.3MB
-
memory/1112-58-0x0000000000000000-mapping.dmp
-
memory/1112-59-0x00000000762A1000-0x00000000762A3000-memory.dmpFilesize
8KB
-
memory/1112-65-0x0000000002400000-0x000000000304A000-memory.dmpFilesize
12.3MB
-
memory/1172-80-0x0000000002430000-0x000000000307A000-memory.dmpFilesize
12.3MB
-
memory/1172-78-0x0000000002430000-0x000000000307A000-memory.dmpFilesize
12.3MB
-
memory/1172-79-0x0000000002430000-0x000000000307A000-memory.dmpFilesize
12.3MB
-
memory/1172-69-0x0000000000000000-mapping.dmp
-
memory/1188-56-0x0000000005E20000-0x0000000005E98000-memory.dmpFilesize
480KB
-
memory/1188-57-0x0000000000520000-0x0000000000529000-memory.dmpFilesize
36KB
-
memory/1188-52-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/1188-55-0x0000000000310000-0x0000000000321000-memory.dmpFilesize
68KB
-
memory/1188-54-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/1484-72-0x0000000002262000-0x0000000002264000-memory.dmpFilesize
8KB
-
memory/1484-66-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/1484-67-0x0000000002261000-0x0000000002262000-memory.dmpFilesize
4KB
-
memory/1484-60-0x0000000000000000-mapping.dmp
-
memory/1620-75-0x00000000004067AE-mapping.dmp
-
memory/1620-74-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1620-76-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1620-81-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/1800-61-0x0000000000000000-mapping.dmp