Overview

overview

10

Static

static

3

Respalo.exe

windows7-x64

10

Respalo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Respalo.exe

  • Size

    101KB

  • MD5

    964c11b64832dfc0228228dc3041ad30

  • SHA1

    44340a21dd37096807675f8ca68a111031480d01

  • SHA256

    c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

  • SHA512

    c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

  • SSDEEP

    1536:Q+CwHaUlNvEH6vBZkZcv9y5aD3BbOOzfso5fQT/inO3163BEDa:Q+voEBe35aD3BbOWso5fQDinQ63B+a

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

respaldo2424.duckdns.org:9090

Mutex

c959d74c7c9745cb

Attributes
  • reg_key

    c959d74c7c9745cb

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Respalo.exe
    "C:\Users\Admin\AppData\Local\Temp\Respalo.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4212
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4232
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\ploksdfgh"
      2⤵
        PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:5000
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Respalo.exe" "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe"
        2⤵
          PID:1156
      • C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
        C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:2040
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\ploksdfgh"
            2⤵
              PID:1824
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
                3⤵
                • Creates scheduled task(s)
                PID:4296
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe" "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe"
              2⤵
                PID:1652
            • C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
              C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2640
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                2⤵
                  PID:532
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\ploksdfgh"
                  2⤵
                    PID:1940
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3552
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
                      3⤵
                      • Creates scheduled task(s)
                      PID:1548
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe" "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe"
                    2⤵
                      PID:1596

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Scripting

                  1
                  T1064

                  Scheduled Task

                  1
                  T1053

                  Persistence

                  Scheduled Task

                  1
                  T1053

                  Privilege Escalation

                  Scheduled Task

                  1
                  T1053

                  Defense Evasion

                  Scripting

                  1
                  T1064

                  Credential Access

                  Discovery

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ploksdfgh.exe.log
                    Filesize

                    425B

                    MD5

                    4eaca4566b22b01cd3bc115b9b0b2196

                    SHA1

                    e743e0792c19f71740416e7b3c061d9f1336bf94

                    SHA256

                    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                    SHA512

                    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
                    Filesize

                    418B

                    MD5

                    89c8a5340eb284f551067d44e27ae8dd

                    SHA1

                    d2431ae25a1ab67762a5125574f046f4c951d297

                    SHA256

                    73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

                    SHA512

                    b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
                    Filesize

                    101KB

                    MD5

                    964c11b64832dfc0228228dc3041ad30

                    SHA1

                    44340a21dd37096807675f8ca68a111031480d01

                    SHA256

                    c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

                    SHA512

                    c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
                    Filesize

                    101KB

                    MD5

                    964c11b64832dfc0228228dc3041ad30

                    SHA1

                    44340a21dd37096807675f8ca68a111031480d01

                    SHA256

                    c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

                    SHA512

                    c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
                    Filesize

                    101KB

                    MD5

                    964c11b64832dfc0228228dc3041ad30

                    SHA1

                    44340a21dd37096807675f8ca68a111031480d01

                    SHA256

                    c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

                    SHA512

                    c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

                    Download Submit
                  • memory/2640-155-0x0000000003110000-0x0000000003120000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2844-148-0x0000000005550000-0x0000000005560000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4212-134-0x0000000004F40000-0x0000000004F50000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4212-133-0x00000000005F0000-0x0000000000610000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/4232-137-0x0000000005E10000-0x00000000063B4000-memory.dmp
                    Filesize

                    5.6MB

                    Download
                  • memory/4232-144-0x0000000005A30000-0x0000000005A40000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4232-143-0x0000000005980000-0x000000000598A000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/4232-142-0x0000000005A30000-0x0000000005A40000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4232-141-0x0000000005A40000-0x0000000005AD2000-memory.dmp
                    Filesize

                    584KB

                    Download
                  • memory/4232-136-0x00000000057C0000-0x000000000585C000-memory.dmp
                    Filesize

                    624KB

                    Download
                  • memory/4232-135-0x0000000000400000-0x000000000040C000-memory.dmp
                    Filesize

                    48KB

                    Download