Analysis
-
max time kernel
300s -
max time network
295s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
avellaneda.bin.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
avellaneda.bin.exe
-
Size
420KB
-
MD5
0bb825d7755c400a76fd8512f6baab38
-
SHA1
278d3e2ca71d1b8f1e3b521e8885ae13e25d84da
-
SHA256
2543435084f6e995500f8e9f12312db2da5241029f78418a5308524e295443d9
-
SHA512
60bd692b834dd5280c93894adcfacde0d11cd0b7ae893a6b5a64cba704a13a0845f65bd322384d19e9eebf6a673a0565308f88769cc99eec4292c0ff2b980e34
Malware Config
Extracted
Family
njrat
Version
0.7NC
Botnet
NYAN CAT
C2
reald27.duckdns.org:3525
Mutex
f45dd4eb26
Attributes
-
reg_key
f45dd4eb26
-
splitter
@!#&^%$
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
avellaneda.bin.exedescription pid process target process PID 820 set thread context of 580 820 avellaneda.bin.exe avellaneda.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
avellaneda.bin.exepowershell.exepid process 820 avellaneda.bin.exe 820 avellaneda.bin.exe 1516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
avellaneda.bin.exepowershell.exeavellaneda.bin.exedescription pid process Token: SeDebugPrivilege 820 avellaneda.bin.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe Token: 33 580 avellaneda.bin.exe Token: SeIncBasePriorityPrivilege 580 avellaneda.bin.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
avellaneda.bin.exedescription pid process target process PID 820 wrote to memory of 1516 820 avellaneda.bin.exe powershell.exe PID 820 wrote to memory of 1516 820 avellaneda.bin.exe powershell.exe PID 820 wrote to memory of 1516 820 avellaneda.bin.exe powershell.exe PID 820 wrote to memory of 1516 820 avellaneda.bin.exe powershell.exe PID 820 wrote to memory of 1004 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 1004 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 1004 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 1004 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe PID 820 wrote to memory of 580 820 avellaneda.bin.exe avellaneda.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-64-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/580-69-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/580-61-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/580-62-0x000000000040676E-mapping.dmp
-
memory/820-55-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/820-57-0x0000000000430000-0x0000000000437000-memory.dmpFilesize
28KB
-
memory/820-58-0x0000000005D50000-0x0000000005DA7000-memory.dmpFilesize
348KB
-
memory/820-59-0x0000000001FC0000-0x0000000001FE2000-memory.dmpFilesize
136KB
-
memory/820-53-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1516-60-0x0000000000000000-mapping.dmp
-
memory/1516-63-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1516-67-0x0000000002541000-0x0000000002542000-memory.dmpFilesize
4KB
-
memory/1516-66-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/1516-68-0x0000000002542000-0x0000000002544000-memory.dmpFilesize
8KB
-
memory/1752-56-0x000007FEFB791000-0x000007FEFB793000-memory.dmpFilesize
8KB