Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-09-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
Resource
win7v20210408
General
-
Target
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
-
Size
1009KB
-
MD5
dd50c188aabc9e550fc221de015ddb55
-
SHA1
068aa881159f72c4454f44f32fb754fc5b88f688
-
SHA256
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8
-
SHA512
b63b109c27987c3b873c378707eb983c60b782e7e9a2ec0dafac7130ef17da0c034698aaa025cd6103cc5ba6e6fb4e13240a20c773fb2e7a981eef276e406b36
Malware Config
Extracted
njrat
0.7.3
Limebot3
microsoftdnsbug.duckdns.org:6699
Client.exe
-
reg_key
Client.exe
-
splitter
luffy
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
AppVCatalog.exeAppVCatalog.exepid process 1764 AppVCatalog.exe 3772 AppVCatalog.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exedescription pid process target process PID 3936 set thread context of 1380 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 1764 set thread context of 4080 1764 AppVCatalog.exe RegAsm.exe PID 3772 set thread context of 3672 3772 AppVCatalog.exe RegAsm.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exepid process 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe 1764 AppVCatalog.exe 1764 AppVCatalog.exe 1764 AppVCatalog.exe 1764 AppVCatalog.exe 3772 AppVCatalog.exe 3772 AppVCatalog.exe 3772 AppVCatalog.exe 3772 AppVCatalog.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe Token: 33 1380 RegAsm.exe Token: SeIncBasePriorityPrivilege 1380 RegAsm.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exedescription pid process target process PID 3936 wrote to memory of 1380 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 3936 wrote to memory of 1380 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 3936 wrote to memory of 1380 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 3936 wrote to memory of 1380 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 3936 wrote to memory of 1380 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe RegAsm.exe PID 3936 wrote to memory of 2780 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 3936 wrote to memory of 2780 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 3936 wrote to memory of 2780 3936 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe schtasks.exe PID 1764 wrote to memory of 4080 1764 AppVCatalog.exe RegAsm.exe PID 1764 wrote to memory of 4080 1764 AppVCatalog.exe RegAsm.exe PID 1764 wrote to memory of 4080 1764 AppVCatalog.exe RegAsm.exe PID 1764 wrote to memory of 4080 1764 AppVCatalog.exe RegAsm.exe PID 1764 wrote to memory of 4080 1764 AppVCatalog.exe RegAsm.exe PID 1764 wrote to memory of 592 1764 AppVCatalog.exe schtasks.exe PID 1764 wrote to memory of 592 1764 AppVCatalog.exe schtasks.exe PID 1764 wrote to memory of 592 1764 AppVCatalog.exe schtasks.exe PID 3772 wrote to memory of 3672 3772 AppVCatalog.exe RegAsm.exe PID 3772 wrote to memory of 3672 3772 AppVCatalog.exe RegAsm.exe PID 3772 wrote to memory of 3672 3772 AppVCatalog.exe RegAsm.exe PID 3772 wrote to memory of 3672 3772 AppVCatalog.exe RegAsm.exe PID 3772 wrote to memory of 3672 3772 AppVCatalog.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeC:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.logMD5
6b062b48db9a8e149e10fefd80ab54ef
SHA11e72855f88c33b6ddce512b079bbe2e4aa2b6b57
SHA256026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43
SHA512b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
e7014d98621cee3c1b2a90cf7af3ee98
SHA15646e8a80cfdc580001032a650aeea20511606e6
SHA256dbf825b66bd0f94b83770a8825adc0c27c88f234acee5efa8b5cd84ed1e8d2e2
SHA5120d0d79f1733a2a6b416715c27044d04893f6206540286457f6678bda3f71015304fbf6c5c1407bbdb550657f61da4b83913eb93dbfff2518984c6ef602bd936b
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
e7014d98621cee3c1b2a90cf7af3ee98
SHA15646e8a80cfdc580001032a650aeea20511606e6
SHA256dbf825b66bd0f94b83770a8825adc0c27c88f234acee5efa8b5cd84ed1e8d2e2
SHA5120d0d79f1733a2a6b416715c27044d04893f6206540286457f6678bda3f71015304fbf6c5c1407bbdb550657f61da4b83913eb93dbfff2518984c6ef602bd936b
-
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exeMD5
e7014d98621cee3c1b2a90cf7af3ee98
SHA15646e8a80cfdc580001032a650aeea20511606e6
SHA256dbf825b66bd0f94b83770a8825adc0c27c88f234acee5efa8b5cd84ed1e8d2e2
SHA5120d0d79f1733a2a6b416715c27044d04893f6206540286457f6678bda3f71015304fbf6c5c1407bbdb550657f61da4b83913eb93dbfff2518984c6ef602bd936b
-
memory/592-133-0x0000000000000000-mapping.dmp
-
memory/1380-122-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/1380-115-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1380-120-0x0000000000414E6E-mapping.dmp
-
memory/2780-123-0x0000000000000000-mapping.dmp
-
memory/3672-140-0x0000000000414E6E-mapping.dmp
-
memory/3672-142-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/3936-121-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/4080-126-0x0000000000570000-0x000000000058A000-memory.dmpFilesize
104KB
-
memory/4080-131-0x0000000000584E6E-mapping.dmp
-
memory/4080-132-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB