Analysis
-
max time kernel
79s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/06/2023, 17:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe
Resource
win7-20230220-en
windows7-x64
10 signatures
150 seconds
General
-
Target
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe
-
Size
2.0MB
-
MD5
4a9efd5ecea388e5ce1d20b75060874b
-
SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345
-
SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b
-
SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006
-
SSDEEP
3072:OgdUd3vlTmL/A5nzbYHnzVO9qtD2jW+/5LUa:adfiAxbYHnz5ay+/5L
Malware Config
Extracted
Family
njrat
Version
0.7NC
Botnet
NYAN CAT
C2
juancaf4000.duckdns.org:5050
Mutex
2925ee0393c24d569
Attributes
-
reg_key
2925ee0393c24d569
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 868 monost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1204 set thread context of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 868 set thread context of 1716 868 monost.exe 39 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1756 schtasks.exe 1332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1200 vbc.exe Token: 33 1200 vbc.exe Token: SeIncBasePriorityPrivilege 1200 vbc.exe Token: 33 1200 vbc.exe Token: SeIncBasePriorityPrivilege 1200 vbc.exe Token: 33 1200 vbc.exe Token: SeIncBasePriorityPrivilege 1200 vbc.exe Token: 33 1200 vbc.exe Token: SeIncBasePriorityPrivilege 1200 vbc.exe Token: 33 1200 vbc.exe Token: SeIncBasePriorityPrivilege 1200 vbc.exe Token: SeDebugPrivilege 1460 taskmgr.exe Token: 33 1200 vbc.exe Token: SeIncBasePriorityPrivilege 1200 vbc.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe 1460 taskmgr.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1200 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 28 PID 1204 wrote to memory of 1748 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 29 PID 1204 wrote to memory of 1748 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 29 PID 1204 wrote to memory of 1748 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 29 PID 1204 wrote to memory of 1748 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 29 PID 1204 wrote to memory of 268 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 31 PID 1204 wrote to memory of 268 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 31 PID 1204 wrote to memory of 268 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 31 PID 1204 wrote to memory of 268 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 31 PID 268 wrote to memory of 1756 268 cmd.exe 33 PID 268 wrote to memory of 1756 268 cmd.exe 33 PID 268 wrote to memory of 1756 268 cmd.exe 33 PID 268 wrote to memory of 1756 268 cmd.exe 33 PID 1204 wrote to memory of 1148 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 34 PID 1204 wrote to memory of 1148 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 34 PID 1204 wrote to memory of 1148 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 34 PID 1204 wrote to memory of 1148 1204 a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe 34 PID 680 wrote to memory of 868 680 taskeng.exe 38 PID 680 wrote to memory of 868 680 taskeng.exe 38 PID 680 wrote to memory of 868 680 taskeng.exe 38 PID 680 wrote to memory of 868 680 taskeng.exe 38 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1716 868 monost.exe 39 PID 868 wrote to memory of 1092 868 monost.exe 40 PID 868 wrote to memory of 1092 868 monost.exe 40 PID 868 wrote to memory of 1092 868 monost.exe 40 PID 868 wrote to memory of 1092 868 monost.exe 40 PID 868 wrote to memory of 2000 868 monost.exe 42 PID 868 wrote to memory of 2000 868 monost.exe 42 PID 868 wrote to memory of 2000 868 monost.exe 42 PID 868 wrote to memory of 2000 868 monost.exe 42 PID 2000 wrote to memory of 1332 2000 cmd.exe 44 PID 2000 wrote to memory of 1332 2000 cmd.exe 44 PID 2000 wrote to memory of 1332 2000 cmd.exe 44 PID 2000 wrote to memory of 1332 2000 cmd.exe 44 PID 868 wrote to memory of 1244 868 monost.exe 45 PID 868 wrote to memory of 1244 868 monost.exe 45 PID 868 wrote to memory of 1244 868 monost.exe 45 PID 868 wrote to memory of 1244 868 monost.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe"C:\Users\Admin\AppData\Local\Temp\a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"2⤵PID:1748
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f3⤵
- Creates scheduled task(s)
PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"2⤵PID:1148
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7C7A490A-AB05-41D8-84D3-64E500703DDE} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Roaming\monost\monost.exeC:\Users\Admin\AppData\Roaming\monost\monost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:1716
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"3⤵PID:1092
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f4⤵
- Creates scheduled task(s)
PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\monost\monost.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"3⤵PID:1244
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD54a9efd5ecea388e5ce1d20b75060874b
SHA15cd3796b22f4c126df395f4fbb4285a3997ec345
SHA256a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b
SHA51208186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006
-
Filesize
2.0MB
MD54a9efd5ecea388e5ce1d20b75060874b
SHA15cd3796b22f4c126df395f4fbb4285a3997ec345
SHA256a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b
SHA51208186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006