Analysis
-
max time kernel
171s -
max time network
183s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:50
Static task
static1
Behavioral task
behavioral1
Sample
Cirular-18April2017/Circular.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Cirular-18April2017/Circular.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
Cirular-18April2017/Circular.Doc.lnk
Resource
win7-en-20211208
General
-
Target
Cirular-18April2017/Circular.exe
-
Size
264KB
-
MD5
695c5d19dc3c3c5cc39182e09d9274e6
-
SHA1
bc0aa3fce44b7d252919d820860709a0052cb76c
-
SHA256
6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436
-
SHA512
a20bf0b073c43f55f9a8797e093422b2aea58949fa23e625e20ce9786421c120253cd4f988aa3b2f877d9cc7f6c472e8daabe58489d7b7ea2bec5c339e855e4b
Malware Config
Extracted
njrat
0.7d
zalupa180417
808080.ddns.net:5555
4cb72bb7475074f5af41f3e5e189ee3f
-
reg_key
4cb72bb7475074f5af41f3e5e189ee3f
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Circular.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe Circular.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe Circular.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Circular.exedescription pid process target process PID 2196 set thread context of 2312 2196 Circular.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Circular.exepid process 2196 Circular.exe 2196 Circular.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Circular.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2196 Circular.exe Token: SeDebugPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe Token: 33 2312 RegAsm.exe Token: SeIncBasePriorityPrivilege 2312 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Circular.exeRegAsm.exedescription pid process target process PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2196 wrote to memory of 2312 2196 Circular.exe RegAsm.exe PID 2312 wrote to memory of 996 2312 RegAsm.exe netsh.exe PID 2312 wrote to memory of 996 2312 RegAsm.exe netsh.exe PID 2312 wrote to memory of 996 2312 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cirular-18April2017\Circular.exe"C:\Users\Admin\AppData\Local\Temp\Cirular-18April2017\Circular.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2196-115-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/2196-116-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/2196-117-0x0000000004EA0000-0x0000000004F61000-memory.dmpFilesize
772KB
-
memory/2312-118-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2312-119-0x0000000000C00000-0x0000000000CAE000-memory.dmpFilesize
696KB