Analysis
-
max time kernel
148s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
Resource
win7v20210408
General
-
Target
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
-
Size
1009KB
-
MD5
dd50c188aabc9e550fc221de015ddb55
-
SHA1
068aa881159f72c4454f44f32fb754fc5b88f688
-
SHA256
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8
-
SHA512
b63b109c27987c3b873c378707eb983c60b782e7e9a2ec0dafac7130ef17da0c034698aaa025cd6103cc5ba6e6fb4e13240a20c773fb2e7a981eef276e406b36
Malware Config
Extracted
njrat
0.7.3
Limebot3
microsoftdnsbug.duckdns.org:6699
Client.exe
-
reg_key
Client.exe
-
splitter
luffy
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
AppVCatalog.exeAppVCatalog.exeAppVCatalog.exepid process 1192 AppVCatalog.exe 1016 AppVCatalog.exe 1704 AppVCatalog.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exeAppVCatalog.exedescription pid process target process PID 1984 set thread context of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1192 set thread context of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1016 set thread context of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1704 set thread context of 1988 1704 AppVCatalog.exe RegAsm.exe -
autoit_exe 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1776 schtasks.exe 516 schtasks.exe 784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exeAppVCatalog.exepid process 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 1192 AppVCatalog.exe 1192 AppVCatalog.exe 1016 AppVCatalog.exe 1016 AppVCatalog.exe 1704 AppVCatalog.exe 1704 AppVCatalog.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe Token: 33 2008 RegAsm.exe Token: SeIncBasePriorityPrivilege 2008 RegAsm.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exetaskeng.exeAppVCatalog.exeAppVCatalog.exeAppVCatalog.exedescription pid process target process PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 2008 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1984 wrote to memory of 1776 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 1984 wrote to memory of 1776 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 1984 wrote to memory of 1776 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 1984 wrote to memory of 1776 1984 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 1288 wrote to memory of 1192 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1192 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1192 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1192 1288 taskeng.exe AppVCatalog.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 1428 1192 AppVCatalog.exe RegAsm.exe PID 1192 wrote to memory of 516 1192 AppVCatalog.exe schtasks.exe PID 1192 wrote to memory of 516 1192 AppVCatalog.exe schtasks.exe PID 1192 wrote to memory of 516 1192 AppVCatalog.exe schtasks.exe PID 1192 wrote to memory of 516 1192 AppVCatalog.exe schtasks.exe PID 1288 wrote to memory of 1016 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1016 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1016 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1016 1288 taskeng.exe AppVCatalog.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 1372 1016 AppVCatalog.exe RegAsm.exe PID 1016 wrote to memory of 784 1016 AppVCatalog.exe schtasks.exe PID 1016 wrote to memory of 784 1016 AppVCatalog.exe schtasks.exe PID 1016 wrote to memory of 784 1016 AppVCatalog.exe schtasks.exe PID 1016 wrote to memory of 784 1016 AppVCatalog.exe schtasks.exe PID 1288 wrote to memory of 1704 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1704 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1704 1288 taskeng.exe AppVCatalog.exe PID 1288 wrote to memory of 1704 1288 taskeng.exe AppVCatalog.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe PID 1704 wrote to memory of 1988 1704 AppVCatalog.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {DBDB5B7B-D6EB-45FE-A15F-4B59809C32E8} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
86978bcaaaa9026ce61cbf959265913f
SHA1013f26b0aa34f001b0099257e0c235065b74ed01
SHA2564dc3bac1021089afe22b56bdecf681fa646c89f7dfbff5903d28bcac48da1dc4
SHA5127974a9d6c90a1ff523ce86a5fb53ca9fdab8322f3a7359f007641dcbbf7bc6604a02c85ee8b754a45116474ceafa831afe5526907983a321c313dd09f517a03b
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
86978bcaaaa9026ce61cbf959265913f
SHA1013f26b0aa34f001b0099257e0c235065b74ed01
SHA2564dc3bac1021089afe22b56bdecf681fa646c89f7dfbff5903d28bcac48da1dc4
SHA5127974a9d6c90a1ff523ce86a5fb53ca9fdab8322f3a7359f007641dcbbf7bc6604a02c85ee8b754a45116474ceafa831afe5526907983a321c313dd09f517a03b
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
86978bcaaaa9026ce61cbf959265913f
SHA1013f26b0aa34f001b0099257e0c235065b74ed01
SHA2564dc3bac1021089afe22b56bdecf681fa646c89f7dfbff5903d28bcac48da1dc4
SHA5127974a9d6c90a1ff523ce86a5fb53ca9fdab8322f3a7359f007641dcbbf7bc6604a02c85ee8b754a45116474ceafa831afe5526907983a321c313dd09f517a03b
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
86978bcaaaa9026ce61cbf959265913f
SHA1013f26b0aa34f001b0099257e0c235065b74ed01
SHA2564dc3bac1021089afe22b56bdecf681fa646c89f7dfbff5903d28bcac48da1dc4
SHA5127974a9d6c90a1ff523ce86a5fb53ca9fdab8322f3a7359f007641dcbbf7bc6604a02c85ee8b754a45116474ceafa831afe5526907983a321c313dd09f517a03b
-
memory/516-87-0x0000000000000000-mapping.dmp
-
memory/784-101-0x0000000000000000-mapping.dmp
-
memory/1016-88-0x0000000000000000-mapping.dmp
-
memory/1192-74-0x0000000000000000-mapping.dmp
-
memory/1372-100-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1372-96-0x0000000000414E6E-mapping.dmp
-
memory/1428-82-0x00000000000A4E6E-mapping.dmp
-
memory/1428-84-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/1428-83-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/1428-86-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/1428-77-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/1704-102-0x0000000000000000-mapping.dmp
-
memory/1776-72-0x0000000000000000-mapping.dmp
-
memory/1984-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1984-69-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1988-114-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/1988-110-0x0000000000414E6E-mapping.dmp
-
memory/2008-71-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/2008-66-0x0000000000414E6E-mapping.dmp
-
memory/2008-61-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2008-67-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2008-68-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB