Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-09-2021 08:53
Static task
static1
Behavioral task
behavioral1
Sample
CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe
Resource
win7-en
General
-
Target
CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe
-
Size
170KB
-
MD5
75b89ea1408de6fdd7429944f8fdbb5e
-
SHA1
1250d433355aa6d7ce189ea5fe4a9d08df179f18
-
SHA256
ceb4d88a90ff332d4ea6da16abaf1e04b6296d8618c1f280696acb57cb7bbc68
-
SHA512
8682bab985ae84c3482328b5e9cb8a60c902e432a9e1ebb58fafd70e31ed0d01303f3dc64c3b6b2b6a8cdce7c9876d18fff133f75844582650177f6be809bf45
Malware Config
Extracted
njrat
0.7.3
CUCUTAA
noviembre1.duckdns.org:3030
Client.exe
-
reg_key
Client.exe
-
splitter
lolo
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exedescription pid process target process PID 1096 set thread context of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 set thread context of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1640 schtasks.exe 1272 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exepid process 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exedescription pid process Token: SeDebugPrivilege 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeDebugPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeDebugPrivilege 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeDebugPrivilege 2248 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: 33 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe Token: SeIncBasePriorityPrivilege 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeCEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exedescription pid process target process PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 1096 wrote to memory of 3856 1096 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 3856 wrote to memory of 696 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 3856 wrote to memory of 696 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 3856 wrote to memory of 696 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 3856 wrote to memory of 1640 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 3856 wrote to memory of 1640 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 3856 wrote to memory of 1640 3856 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2036 wrote to memory of 2648 2036 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe PID 2648 wrote to memory of 2300 2648 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 2648 wrote to memory of 2300 2648 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 2648 wrote to memory of 2300 2648 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 2648 wrote to memory of 1272 2648 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 2648 wrote to memory of 1272 2648 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe PID 2648 wrote to memory of 1272 2648 CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe"C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe"C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeC:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe"C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exeC:\Users\Admin\AppData\Local\Temp\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CEB4D88A90FF332D4EA6DA16ABAF1E04B6296D8618C1F.exe.logMD5
5e7bb97636a484b5a87e60373614279a
SHA136bfdec32eedb141a4a106d89a453326f62593ee
SHA25612ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20
SHA512448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56
-
memory/696-118-0x0000000000000000-mapping.dmp
-
memory/1096-114-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/1272-125-0x0000000000000000-mapping.dmp
-
memory/1640-119-0x0000000000000000-mapping.dmp
-
memory/2036-121-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/2248-127-0x00000000016B0000-0x00000000016B1000-memory.dmpFilesize
4KB
-
memory/2300-124-0x0000000000000000-mapping.dmp
-
memory/2648-123-0x0000000000414E6E-mapping.dmp
-
memory/2648-126-0x0000000001280000-0x0000000001281000-memory.dmpFilesize
4KB
-
memory/3856-120-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB
-
memory/3856-116-0x0000000000414E6E-mapping.dmp
-
memory/3856-115-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB