Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 06:31
Static task
static1
Behavioral task
behavioral1
Sample
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe
Resource
win10v2004-en-20220113
General
-
Target
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe
-
Size
1.7MB
-
MD5
5de44904fb635506bc43de4fe10c1d38
-
SHA1
b7800af591a87fe99577786b98aa09107e0c4fc8
-
SHA256
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d
-
SHA512
a6462530b591c8222e7cfff9767a412f93ca5d39c56098a5f69724ca606eed70365b904b23939a8dac6aa8bbe398d1aec145d4054af2c4c24d1d757a1e82a73b
Malware Config
Extracted
njrat
0.7d
Zombie
pussy.n-e.kr:5552
b62c95af1d1020e4f746a6e36fa2ec48
-
reg_key
b62c95af1d1020e4f746a6e36fa2ec48
-
splitter
|'|'|
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\b62c95af1d1020e4f746a6e36fa2ec48 = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" .." RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\b62c95af1d1020e4f746a6e36fa2ec48 = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" .." RegAsm.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exepid process 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exedescription pid process target process PID 1292 set thread context of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exepid process 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe Token: 33 3480 RegAsm.exe Token: SeIncBasePriorityPrivilege 3480 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exeRegAsm.exedescription pid process target process PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 1292 wrote to memory of 3480 1292 111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe RegAsm.exe PID 3480 wrote to memory of 2564 3480 RegAsm.exe netsh.exe PID 3480 wrote to memory of 2564 3480 RegAsm.exe netsh.exe PID 3480 wrote to memory of 2564 3480 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe"C:\Users\Admin\AppData\Local\Temp\111eb3a585b4174c3f222f2ab08fae82dee466415a4f8253754478559963df3d.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-130-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/1292-131-0x0000000000310000-0x0000000000772000-memory.dmpFilesize
4.4MB
-
memory/1292-132-0x0000000000310000-0x0000000000772000-memory.dmpFilesize
4.4MB
-
memory/1292-133-0x0000000000310000-0x0000000000772000-memory.dmpFilesize
4.4MB
-
memory/1292-134-0x0000000008110000-0x00000000086B4000-memory.dmpFilesize
5.6MB
-
memory/1292-135-0x0000000007AB0000-0x0000000007B42000-memory.dmpFilesize
584KB
-
memory/1292-136-0x0000000007A50000-0x0000000007A5A000-memory.dmpFilesize
40KB
-
memory/2564-140-0x0000000000000000-mapping.dmp
-
memory/3480-137-0x0000000000000000-mapping.dmp
-
memory/3480-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3480-139-0x0000000004F30000-0x0000000004FCC000-memory.dmpFilesize
624KB