Overview

overview

10

Static

static

aa652fc67e...21.exe

windows7_x64

10

aa652fc67e...21.exe

windows10_x64

10

Analysis

  • max time kernel
    83s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-09-2021 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa652fc67ec4c4353b9a5562c9ec0d21.exe

  • Size

    816KB

  • MD5

    aa652fc67ec4c4353b9a5562c9ec0d21

  • SHA1

    1dea45515e03d1f561e5a31a1859aea7aa05bd62

  • SHA256

    ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d

  • SHA512

    eddb0fa378f4d4f9aa1ab0eee44705024e89d6bd2c09a313f60b2203f7cf52c2e66909154c4a176bf865da1c211ddcbe1d9b12224125e44eb6ee70e0c61e4e09

Score
10/10
njratnyan catevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

gbarpresencewriterprint.duckdns.org:8651

Mutex

682708ec68e74

Attributes
  • reg_key

    682708ec68e74

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe
    "C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1548
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BkueKqkOElUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9953.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2352
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3724
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:3572

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9953.tmp
      MD5

      fc4573ce606b063da594053f959323c9

      SHA1

      ef223ce0ab757e70d820292dfa8a1a68d560a629

      SHA256

      5c09e5b7dfe5f529dbcd41783166eee85c1641e79231bbf819d553e876f621d4

      SHA512

      fc1ed013b391558dea773f59cc5b945e9f031a2bf80e5012e0fd382fcf79b56e8e7fe48f8203d4398115aa21f31a4754575bd6873fc00be84054197e6c97d17d

      Download Submit
    • memory/568-123-0x00000000074C0000-0x00000000074C9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/568-116-0x0000000005570000-0x0000000005571000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-118-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-119-0x0000000005070000-0x000000000556E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/568-114-0x00000000005F0000-0x00000000005F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-121-0x00000000054B0000-0x00000000054C1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/568-117-0x0000000004F10000-0x0000000004F11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-122-0x0000000007430000-0x00000000074A8000-memory.dmp
      Filesize

      480KB

      Download
    • memory/568-120-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-125-0x0000000000E40000-0x0000000000E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1548-248-0x0000000006CB3000-0x0000000006CB4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1548-165-0x0000000006CB2000-0x0000000006CB3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1548-130-0x0000000000000000-mapping.dmp
      Download
    • memory/1548-162-0x00000000082D0000-0x00000000082D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1548-209-0x000000007E5A0000-0x000000007E5A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1548-140-0x0000000006CB0000-0x0000000006CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-137-0x0000000007132000-0x0000000007133000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-128-0x0000000007070000-0x0000000007071000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-133-0x0000000007E40000-0x0000000007E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-143-0x0000000008090000-0x0000000008091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-124-0x0000000000000000-mapping.dmp
      Download
    • memory/2152-244-0x0000000007133000-0x0000000007134000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-135-0x0000000007130000-0x0000000007131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-214-0x000000007E210000-0x000000007E211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-159-0x0000000008400000-0x0000000008401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-131-0x0000000007DA0000-0x0000000007DA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-197-0x00000000095B0000-0x00000000095E3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2152-129-0x0000000007770000-0x0000000007771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-170-0x0000000008880000-0x0000000008881000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2352-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3572-150-0x00000000004067AE-mapping.dmp
      Download
    • memory/3572-149-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3572-251-0x0000000004D40000-0x000000000523E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3724-169-0x00000000046B2000-0x00000000046B3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-167-0x00000000046B0000-0x00000000046B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-218-0x000000007EFC0000-0x000000007EFC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3724-250-0x00000000046B3000-0x00000000046B4000-memory.dmp
      Filesize

      4KB

      Download