Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-09-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
Resource
win7-en-20210920
General
-
Target
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
-
Size
1009KB
-
MD5
dd50c188aabc9e550fc221de015ddb55
-
SHA1
068aa881159f72c4454f44f32fb754fc5b88f688
-
SHA256
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8
-
SHA512
b63b109c27987c3b873c378707eb983c60b782e7e9a2ec0dafac7130ef17da0c034698aaa025cd6103cc5ba6e6fb4e13240a20c773fb2e7a981eef276e406b36
Malware Config
Extracted
njrat
0.7.3
Limebot3
microsoftdnsbug.duckdns.org:6699
Client.exe
-
reg_key
Client.exe
-
splitter
luffy
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
AppVCatalog.exeAppVCatalog.exepid process 4020 AppVCatalog.exe 4608 AppVCatalog.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exedescription pid process target process PID 376 set thread context of 3932 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 4020 set thread context of 4408 4020 AppVCatalog.exe RegAsm.exe PID 4608 set thread context of 3324 4608 AppVCatalog.exe RegAsm.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3572 3932 WerFault.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3804 schtasks.exe 4476 schtasks.exe 3368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exepid process 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 4020 AppVCatalog.exe 4020 AppVCatalog.exe 4020 AppVCatalog.exe 4020 AppVCatalog.exe 4608 AppVCatalog.exe 4608 AppVCatalog.exe 4608 AppVCatalog.exe 4608 AppVCatalog.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe Token: 33 4408 RegAsm.exe Token: SeIncBasePriorityPrivilege 4408 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exedescription pid process target process PID 376 wrote to memory of 3932 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 376 wrote to memory of 3932 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 376 wrote to memory of 3932 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 376 wrote to memory of 3932 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 376 wrote to memory of 3932 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 376 wrote to memory of 3804 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 376 wrote to memory of 3804 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 376 wrote to memory of 3804 376 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 4020 wrote to memory of 4408 4020 AppVCatalog.exe RegAsm.exe PID 4020 wrote to memory of 4408 4020 AppVCatalog.exe RegAsm.exe PID 4020 wrote to memory of 4408 4020 AppVCatalog.exe RegAsm.exe PID 4020 wrote to memory of 4408 4020 AppVCatalog.exe RegAsm.exe PID 4020 wrote to memory of 4408 4020 AppVCatalog.exe RegAsm.exe PID 4020 wrote to memory of 4476 4020 AppVCatalog.exe schtasks.exe PID 4020 wrote to memory of 4476 4020 AppVCatalog.exe schtasks.exe PID 4020 wrote to memory of 4476 4020 AppVCatalog.exe schtasks.exe PID 4608 wrote to memory of 3324 4608 AppVCatalog.exe RegAsm.exe PID 4608 wrote to memory of 3324 4608 AppVCatalog.exe RegAsm.exe PID 4608 wrote to memory of 3324 4608 AppVCatalog.exe RegAsm.exe PID 4608 wrote to memory of 3324 4608 AppVCatalog.exe RegAsm.exe PID 4608 wrote to memory of 3324 4608 AppVCatalog.exe RegAsm.exe PID 4608 wrote to memory of 3368 4608 AppVCatalog.exe schtasks.exe PID 4608 wrote to memory of 3368 4608 AppVCatalog.exe schtasks.exe PID 4608 wrote to memory of 3368 4608 AppVCatalog.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 243⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
22ea2be776f6fb0a8d120c4c8aed4372
SHA18afebe29576fa97332c28f80533baff07ef04d21
SHA256e154fc855ec92bd148783f65d059b8a0b374f173eaaccceabddc9bc8a8cb694b
SHA512407cec2de44139a6248731d58bcc42f89bb726731222ffcd1d07f57889dda791fc444bd41edac575c011f20c5db0197b7b694565ee7baae8f7f13b9e08938611
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
22ea2be776f6fb0a8d120c4c8aed4372
SHA18afebe29576fa97332c28f80533baff07ef04d21
SHA256e154fc855ec92bd148783f65d059b8a0b374f173eaaccceabddc9bc8a8cb694b
SHA512407cec2de44139a6248731d58bcc42f89bb726731222ffcd1d07f57889dda791fc444bd41edac575c011f20c5db0197b7b694565ee7baae8f7f13b9e08938611
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
22ea2be776f6fb0a8d120c4c8aed4372
SHA18afebe29576fa97332c28f80533baff07ef04d21
SHA256e154fc855ec92bd148783f65d059b8a0b374f173eaaccceabddc9bc8a8cb694b
SHA512407cec2de44139a6248731d58bcc42f89bb726731222ffcd1d07f57889dda791fc444bd41edac575c011f20c5db0197b7b694565ee7baae8f7f13b9e08938611
-
memory/376-121-0x0000000002330000-0x00000000023ED000-memory.dmpFilesize
756KB
-
memory/3324-140-0x0000000000414E6E-mapping.dmp
-
memory/3324-142-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/3368-143-0x0000000000000000-mapping.dmp
-
memory/3804-122-0x0000000000000000-mapping.dmp
-
memory/3932-120-0x00000000005E4E6E-mapping.dmp
-
memory/3932-115-0x00000000005D0000-0x00000000005EA000-memory.dmpFilesize
104KB
-
memory/4020-131-0x0000000001200000-0x000000000134A000-memory.dmpFilesize
1.3MB
-
memory/4408-125-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4408-130-0x0000000000414E6E-mapping.dmp
-
memory/4408-132-0x0000000000FF0000-0x000000000113A000-memory.dmpFilesize
1.3MB
-
memory/4476-133-0x0000000000000000-mapping.dmp
-
memory/4608-141-0x0000000001400000-0x00000000014AE000-memory.dmpFilesize
696KB