Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en -
submitted
16-09-2021 08:45
Static task
static1
Behavioral task
behavioral1
Sample
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe
Resource
win10v20210408
General
-
Target
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe
-
Size
13KB
-
MD5
354b2d0793453d6be6e92cb740f170e4
-
SHA1
9061310c8d87029de3088a95f22c28614d1c916f
-
SHA256
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576
-
SHA512
dd74a5ff1a704104313b71ee83710896eff4e3d38ced07c68593025eae1ed13da6b44cbc635b9dbee384dd22ae7d18d16f89371b79466b33645fe3cadf27ed35
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
107.167.244.67:18971
4a178b198a1a4260aad
-
reg_key
4a178b198a1a4260aad
-
splitter
@!#&^%$
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Downloads MZ/PE file
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uFzgJpBbCZdobdR = "C:\\Users\\Admin\\AppData\\Roaming\\LpEwT\\eLAKB.exe" df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exedescription pid process target process PID 820 set thread context of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe Token: SeDebugPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe Token: 33 812 RegAsm.exe Token: SeIncBasePriorityPrivilege 812 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exedescription pid process target process PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe PID 820 wrote to memory of 812 820 df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe"C:\Users\Admin\AppData\Local\Temp\df841db0f1f8f968ec6fc8c0d8bbd618bbacdcd7bf8146ad0267371884071576.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-59-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/812-60-0x000000000040676E-mapping.dmp
-
memory/812-62-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/812-64-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/820-53-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/820-55-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/820-56-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/820-57-0x00000000052E0000-0x0000000005345000-memory.dmpFilesize
404KB
-
memory/820-58-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB