Overview

overview

10

Static

static

dc52cb3d58...e3.exe

windows7_x64

10

dc52cb3d58...e3.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe

  • Size

    454KB

  • MD5

    724c9322da3b1c5f7994a466fbb6dc09

  • SHA1

    d993e3da6da34581ba6d3ca18d33356767cbecf7

  • SHA256

    dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3

  • SHA512

    7d2ae83d9ad9ae790ee9c7b2fb1b35456b27c0e79e0fb313ad58aa342a2bd058b6b7337aa354b4b7462081ef73cbddc982a1be503aff135e4f3a1b6c9f808a7f

Score
10/10
njratestación terpelpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

ESTACIÓN TERPEL

C2

estacion373.duckdns.org:1990

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    1990

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe
    "C:\Users\Admin\AppData\Local\Temp\dc52cb3d58087c26b2c4ccc95ec2a50df8b2ada10d368251b836b033f36eb0e3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fkHhuFSCKBkxD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB02D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:240
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
          PID:1988
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn NYAN /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /sc minute /mo 1
          3⤵
          • Creates scheduled task(s)
          PID:776
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {95C91CFE-2E9D-4CB4-A28E-A81140109C7F} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        2⤵
          PID:1688
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          2⤵
            PID:1984

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpB02D.tmp
          MD5

          38c36ea2e14c41d999786975404a9132

          SHA1

          43998535b23a88efec39c1d261c3216a1be11296

          SHA256

          6f4fc66db15d24f789c30b78989f38d04e339c4206c9c57b2bd2e8e078e25b6f

          SHA512

          4b6f4e54a5ff84fbfc287de0466d2e83503a47ad5281f258bb828700e5970129aa9e987967d068ace72dfcccfd1f13a5278b178b1f1cc2f7d40ce18866869bff

          Download Submit
        • memory/612-54-0x0000000000A70000-0x0000000000AE8000-memory.dmp
          Filesize

          480KB

          Download
        • memory/612-55-0x0000000075891000-0x0000000075893000-memory.dmp
          Filesize

          8KB

          Download
        • memory/612-56-0x00000000070A0000-0x00000000070A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/612-57-0x00000000003F0000-0x00000000003FC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/612-58-0x0000000002020000-0x0000000002076000-memory.dmp
          Filesize

          344KB

          Download
        • memory/612-59-0x0000000004170000-0x00000000041A2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/1104-61-0x0000000000400000-0x000000000041A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1104-62-0x0000000000400000-0x000000000041A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1104-63-0x0000000000400000-0x000000000041A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1104-64-0x0000000000400000-0x000000000041A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1104-65-0x0000000000400000-0x000000000041A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1104-66-0x0000000000400000-0x000000000041A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1104-69-0x0000000004E70000-0x0000000004E71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1688-67-0x0000000000E40000-0x0000000000E4E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/1688-70-0x00000000008E0000-0x0000000000900000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1984-71-0x00000000005B0000-0x00000000005D0000-memory.dmp
          Filesize

          128KB

          Download