Analysis
-
max time kernel
19s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-09-2021 09:10
Static task
static1
Behavioral task
behavioral1
Sample
7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
-
Size
343KB
-
MD5
a4ef9b97bb27e933d21acf408213660e
-
SHA1
468f1788f892ee364922d4ad89b4015f1cf36a5b
-
SHA256
7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407
-
SHA512
db842526085b08d44e2325117defdc37624d9ecfa99f56a38a7ff87af795d8d934d63b46d25d432ae82f5d32fb50cc27be87b5e38a739db06a437bc81b070643
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
SAZANXD
C2
20.94.209.182:8080
Mutex
5674c09c7f0c4298faa91f68465c425a
Attributes
-
reg_key
5674c09c7f0c4298faa91f68465c425a
-
splitter
|'|'|
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exedescription pid process target process PID 580 set thread context of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dw20.exepid process 3756 dw20.exe 3756 dw20.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exedw20.exedescription pid process Token: SeDebugPrivilege 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe Token: SeRestorePrivilege 3756 dw20.exe Token: SeBackupPrivilege 3756 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exevbc.exedescription pid process target process PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 580 wrote to memory of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe PID 2880 wrote to memory of 3756 2880 vbc.exe dw20.exe PID 2880 wrote to memory of 3756 2880 vbc.exe dw20.exe PID 2880 wrote to memory of 3756 2880 vbc.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe"C:\Users\Admin\AppData\Local\Temp\7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6883⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-114-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/2880-115-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2880-116-0x000000000040748E-mapping.dmp
-
memory/2880-118-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/3756-117-0x0000000000000000-mapping.dmp