Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en -
submitted
08-09-2021 21:12
Static task
static1
Behavioral task
behavioral1
Sample
aa652fc67ec4c4353b9a5562c9ec0d21.exe
Resource
win7-en
General
-
Target
aa652fc67ec4c4353b9a5562c9ec0d21.exe
-
Size
816KB
-
MD5
aa652fc67ec4c4353b9a5562c9ec0d21
-
SHA1
1dea45515e03d1f561e5a31a1859aea7aa05bd62
-
SHA256
ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d
-
SHA512
eddb0fa378f4d4f9aa1ab0eee44705024e89d6bd2c09a313f60b2203f7cf52c2e66909154c4a176bf865da1c211ddcbe1d9b12224125e44eb6ee70e0c61e4e09
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
gbarpresencewriterprint.duckdns.org:8651
682708ec68e74
-
reg_key
682708ec68e74
-
splitter
@!#&^%$
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa652fc67ec4c4353b9a5562c9ec0d21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa652fc67ec4c4353b9a5562c9ec0d21.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aa652fc67ec4c4353b9a5562c9ec0d21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aa652fc67ec4c4353b9a5562c9ec0d21.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription pid process target process PID 1664 set thread context of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1680 powershell.exe 548 powershell.exe 1740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe Token: 33 1412 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1412 RegSvcs.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
aa652fc67ec4c4353b9a5562c9ec0d21.exedescription pid process target process PID 1664 wrote to memory of 1680 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1680 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1680 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1680 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 548 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 548 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 548 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 548 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1336 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1664 wrote to memory of 1336 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1664 wrote to memory of 1336 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1664 wrote to memory of 1336 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe schtasks.exe PID 1664 wrote to memory of 1740 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1740 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1740 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1740 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe powershell.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe PID 1664 wrote to memory of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BkueKqkOElUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2896.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2896.tmpMD5
c84441b9b283f651bd456039ac24bb0e
SHA1fb4f30d009ce333d1221b058fd094bb3e8bad0fb
SHA25640847b5b59cd96e5cc9c90351c011352f0ba69b9947af8fde01c99cfe4d937dc
SHA5123e83e827012d2cba79058c585532329fdcc1ca0eed61a8c1d2dfebaa01c0ced69153846558316bb939fc79e7b0ee2b208bd8153287e09c4ee161e119d0c8c25f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
3e10f6cd29fcdfad371c84e08e82ab22
SHA12f356152877c56e6d3559859c688ed6b53eef7e2
SHA2561fef46b5b9e16820435ffc021833018038662bc13f577503fd2494b1521c5364
SHA51272c4b68c3abe257a485973ee7ea9f0f76504d1a14de39568c84bccb709ec900e7594e1844083e9bff404b6f320a4156d5a924c4eaa82e3e3cb9c28491e703772
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
3e10f6cd29fcdfad371c84e08e82ab22
SHA12f356152877c56e6d3559859c688ed6b53eef7e2
SHA2561fef46b5b9e16820435ffc021833018038662bc13f577503fd2494b1521c5364
SHA51272c4b68c3abe257a485973ee7ea9f0f76504d1a14de39568c84bccb709ec900e7594e1844083e9bff404b6f320a4156d5a924c4eaa82e3e3cb9c28491e703772
-
memory/548-67-0x0000000001E01000-0x0000000001E02000-memory.dmpFilesize
4KB
-
memory/548-72-0x0000000001E02000-0x0000000001E04000-memory.dmpFilesize
8KB
-
memory/548-66-0x0000000001E00000-0x0000000001E01000-memory.dmpFilesize
4KB
-
memory/548-60-0x0000000000000000-mapping.dmp
-
memory/1336-61-0x0000000000000000-mapping.dmp
-
memory/1412-79-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1412-81-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1412-78-0x00000000004067AE-mapping.dmp
-
memory/1412-77-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1664-52-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1664-57-0x0000000001ED0000-0x0000000001ED9000-memory.dmpFilesize
36KB
-
memory/1664-56-0x0000000004FB0000-0x0000000005028000-memory.dmpFilesize
480KB
-
memory/1664-55-0x00000000006C0000-0x00000000006D1000-memory.dmpFilesize
68KB
-
memory/1664-54-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1680-59-0x0000000075231000-0x0000000075233000-memory.dmpFilesize
8KB
-
memory/1680-73-0x00000000021E0000-0x0000000002E2A000-memory.dmpFilesize
12.3MB
-
memory/1680-68-0x00000000021E0000-0x0000000002E2A000-memory.dmpFilesize
12.3MB
-
memory/1680-65-0x00000000021E0000-0x0000000002E2A000-memory.dmpFilesize
12.3MB
-
memory/1680-58-0x0000000000000000-mapping.dmp
-
memory/1740-74-0x00000000023D0000-0x000000000301A000-memory.dmpFilesize
12.3MB
-
memory/1740-76-0x00000000023D0000-0x000000000301A000-memory.dmpFilesize
12.3MB
-
memory/1740-75-0x00000000023D0000-0x000000000301A000-memory.dmpFilesize
12.3MB
-
memory/1740-69-0x0000000000000000-mapping.dmp