Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-09-2021 21:06
General
-
Target
Adjunto a este documento un archivo en el cual se encuentra específicamente.exe
-
Size
816KB
-
MD5
aa652fc67ec4c4353b9a5562c9ec0d21
-
SHA1
1dea45515e03d1f561e5a31a1859aea7aa05bd62
-
SHA256
ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d
-
SHA512
eddb0fa378f4d4f9aa1ab0eee44705024e89d6bd2c09a313f60b2203f7cf52c2e66909154c4a176bf865da1c211ddcbe1d9b12224125e44eb6ee70e0c61e4e09
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
gbarpresencewriterprint.duckdns.org:8651
682708ec68e74
-
reg_key
682708ec68e74
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adjunto a este documento un archivo en el cual se encuentra específicamente.exe"C:\Users\Admin\AppData\Local\Temp\Adjunto a este documento un archivo en el cual se encuentra específicamente.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Adjunto a este documento un archivo en el cual se encuentra específicamente.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BkueKqkOElUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0f3d9f8287b0dab909e9f18fcd9cfefb
SHA1998c9c13ec9080a5b90d9341878ef288e5da9e60
SHA256c48a95a34f7fc7af7de8d9e452e7a1c92130d4b8088f4f789910e0b2628e9ce7
SHA512097bc614fd9e12d8829db620bb8c58a300872c2bbaaa5357b741c7360dd9d5072b86a070e4e9111545a3841048156c64b604fc39fd3055c1bab2da3362c0ae13
-
C:\Users\Admin\AppData\Local\Temp\tmp96E2.tmpMD5
fc4573ce606b063da594053f959323c9
SHA1ef223ce0ab757e70d820292dfa8a1a68d560a629
SHA2565c09e5b7dfe5f529dbcd41783166eee85c1641e79231bbf819d553e876f621d4
SHA512fc1ed013b391558dea773f59cc5b945e9f031a2bf80e5012e0fd382fcf79b56e8e7fe48f8203d4398115aa21f31a4754575bd6873fc00be84054197e6c97d17d
-
memory/500-207-0x000000007E680000-0x000000007E681000-memory.dmpFilesize
4KB
-
memory/500-242-0x0000000004D13000-0x0000000004D14000-memory.dmpFilesize
4KB
-
memory/500-171-0x0000000004D12000-0x0000000004D13000-memory.dmpFilesize
4KB
-
memory/500-170-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/500-148-0x0000000000000000-mapping.dmp
-
memory/656-120-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/656-119-0x0000000005140000-0x00000000051DC000-memory.dmpFilesize
624KB
-
memory/656-118-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/656-117-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/656-121-0x00000000053E0000-0x00000000053F1000-memory.dmpFilesize
68KB
-
memory/656-125-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/656-116-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/656-123-0x0000000006FC0000-0x0000000006FC9000-memory.dmpFilesize
36KB
-
memory/656-122-0x0000000007720000-0x0000000007798000-memory.dmpFilesize
480KB
-
memory/748-131-0x0000000000000000-mapping.dmp
-
memory/860-150-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/860-239-0x0000000005640000-0x0000000005B3E000-memory.dmpFilesize
5.0MB
-
memory/860-151-0x00000000004067AE-mapping.dmp
-
memory/2728-145-0x0000000007D60000-0x0000000007D61000-memory.dmpFilesize
4KB
-
memory/2728-241-0x0000000004973000-0x0000000004974000-memory.dmpFilesize
4KB
-
memory/2728-164-0x0000000007B40000-0x0000000007B41000-memory.dmpFilesize
4KB
-
memory/2728-167-0x0000000008490000-0x0000000008491000-memory.dmpFilesize
4KB
-
memory/2728-144-0x0000000004972000-0x0000000004973000-memory.dmpFilesize
4KB
-
memory/2728-124-0x0000000000000000-mapping.dmp
-
memory/2728-172-0x0000000008540000-0x0000000008541000-memory.dmpFilesize
4KB
-
memory/2728-128-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/2728-129-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/2728-143-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/2728-210-0x000000007F070000-0x000000007F071000-memory.dmpFilesize
4KB
-
memory/2728-136-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/3848-240-0x0000000007213000-0x0000000007214000-memory.dmpFilesize
4KB
-
memory/3848-149-0x0000000007212000-0x0000000007213000-memory.dmpFilesize
4KB
-
memory/3848-139-0x0000000007770000-0x0000000007771000-memory.dmpFilesize
4KB
-
memory/3848-130-0x0000000000000000-mapping.dmp
-
memory/3848-204-0x000000007E470000-0x000000007E471000-memory.dmpFilesize
4KB
-
memory/3848-197-0x0000000009860000-0x0000000009893000-memory.dmpFilesize
204KB
-
memory/3848-147-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB