Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-11-2021 02:36
Static task
static1
Behavioral task
behavioral1
Sample
996570A4F29509E3C74AA361E578F59001460810064F4.exe
Resource
win7-en-20211014
General
-
Target
996570A4F29509E3C74AA361E578F59001460810064F4.exe
-
Size
73KB
-
MD5
7de9b1373f7e080121792869b172c537
-
SHA1
452f18d117ca728604b660f30aaafcd4f0c217f9
-
SHA256
996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab
-
SHA512
ae50753118eed6328e1c425ae8545034c9d782867eb8bd3d9a828309b7b19c6134cae2f2e0f44def4a0dc50f3eca743a2e6ffbf8a5287203aaf22050568b1d9a
Malware Config
Extracted
njrat
0.7d
04040404
soportes.duckdns.org:2023
28a056e3673b28a4055fb90e48d147ab
-
reg_key
28a056e3673b28a4055fb90e48d147ab
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
996570A4F29509E3C74AA361E578F59001460810064F4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hJtyaQ.url 996570A4F29509E3C74AA361E578F59001460810064F4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
996570A4F29509E3C74AA361E578F59001460810064F4.exedescription pid process target process PID 1772 set thread context of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
996570A4F29509E3C74AA361E578F59001460810064F4.exepid process 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
996570A4F29509E3C74AA361E578F59001460810064F4.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe Token: SeDebugPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe Token: 33 360 RegAsm.exe Token: SeIncBasePriorityPrivilege 360 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
996570A4F29509E3C74AA361E578F59001460810064F4.execsc.exeRegAsm.exedescription pid process target process PID 1772 wrote to memory of 1132 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe csc.exe PID 1772 wrote to memory of 1132 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe csc.exe PID 1772 wrote to memory of 1132 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe csc.exe PID 1772 wrote to memory of 1132 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe csc.exe PID 1132 wrote to memory of 1432 1132 csc.exe cvtres.exe PID 1132 wrote to memory of 1432 1132 csc.exe cvtres.exe PID 1132 wrote to memory of 1432 1132 csc.exe cvtres.exe PID 1132 wrote to memory of 1432 1132 csc.exe cvtres.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 1772 wrote to memory of 360 1772 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe PID 360 wrote to memory of 1652 360 RegAsm.exe netsh.exe PID 360 wrote to memory of 1652 360 RegAsm.exe netsh.exe PID 360 wrote to memory of 1652 360 RegAsm.exe netsh.exe PID 360 wrote to memory of 1652 360 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe"C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF6F.tmp" "c:\Users\Admin\AppData\Local\Temp\btmvnqdl\CSC7B0F5140F9BE44439961848E6FE07521.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESCF6F.tmpMD5
e64289f68797cf8c4e2ae4f697ffde40
SHA1d4017cc20449dced815458ddb1fe1f9c62952c74
SHA256c52b1774e6918813fff5214fcd2388ee8a7b0436d0cf5ef956febcea723d42e3
SHA512d1639da2642779f608b244f3723441cb297807d287c2d0fda16ecc94970feb82cc4c7b35606ee185280c780669bc68cd8071d6cf973b044dbe2853409f8d7843
-
C:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.dllMD5
109f8eef46248643d1be3f204524f22c
SHA19d538a70ec27e0b0014f386e3ea1c7b02bac256f
SHA256abd777448d5ec6a05d5c07faf6e3f4de14865cebdb3b6255387bf45ff9702494
SHA5127cc6f66fb13e9b2da5c017d626399a04e59d8e498d5361d6a3c317fe1dad0d6981b63b6c8ae2fe6900449fcfa8703fee50cfc58f9ae7185e035bb10fe5700c95
-
C:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.pdbMD5
727f35a97615c80766b6bf11f9d88dcd
SHA1131c1282fdd18e992de6b796d573563c0e29c5ab
SHA256922d95764c87936f8c3e9485cfbbb3f986abee43e8cc3d5e0e76809196aa1029
SHA512125ea6d3f729eacebb8e90138d1b5ff7b44dcfef71dd9602640962a3a3b650db9ab40792fd12c31b9e699313ee5138b6e8041d2d711029d1e1467bb7f8c4fd78
-
\??\c:\Users\Admin\AppData\Local\Temp\btmvnqdl\CSC7B0F5140F9BE44439961848E6FE07521.TMPMD5
676287dbbda00e632bd85a304a36e046
SHA17333ed846ecf4dd7b1ec70858c835539f12c66b8
SHA256c9a1539959180ea9ab052e884fabff72c339d727971d412cf72275ee871a7cda
SHA5126aa0afc4fe2f35541a86f83bfee7c8d496443794e1d81c0804d764083f0929e31348d9cbe6e5e24569a7d00f6b9698d4cc6644f993e8186add2a5133ff8c94e6
-
\??\c:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.0.csMD5
43843ea478ecc41b366642a2d6a65de7
SHA1302951dfb877c63bf428a24f52de4e22a7176373
SHA256daf0b1fff1975fa6a4acb4cab65191e922585d90e09a7ab5215a15f1b4089d57
SHA5120d1f3ab2c4c8b21ef47ccf01be72c2c2cc07f1a2c5650cc85aaa51be32b8959739d13a2e9fe4454ca3a8759fdf9b836514cf80ca09fa323e8228fbd47cb72e61
-
\??\c:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.cmdlineMD5
099ab0e9905de1ff543e9db3ad7ff867
SHA1368424425ad8ff5b1bc0a9479bc48dfa6ecc0896
SHA256f462e4ff1abf5198aed405cd556cc85bb1aa97dbb3e99817716fe4091404bea6
SHA512234c26f3af4426786515368366c19057487d905a073e3c26bb3ccaad9f3737d7aa81ec35af10da418275b423d8d5c095159143e8ff7051b2701993c322a70863
-
memory/360-75-0x000000000040748E-mapping.dmp
-
memory/360-77-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/360-76-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/360-72-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/360-74-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/360-70-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/360-71-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/360-73-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1132-57-0x0000000000000000-mapping.dmp
-
memory/1432-60-0x0000000000000000-mapping.dmp
-
memory/1652-78-0x0000000000000000-mapping.dmp
-
memory/1772-61-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1772-69-0x00000000009C0000-0x00000000009C6000-memory.dmpFilesize
24KB
-
memory/1772-68-0x0000000000670000-0x0000000000676000-memory.dmpFilesize
24KB
-
memory/1772-67-0x0000000000410000-0x0000000000420000-memory.dmpFilesize
64KB
-
memory/1772-66-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/1772-55-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB