Windows Analysis Report 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe

Overview

General Information

Sample Name: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
Analysis ID: 553248
MD5: 70aca878bfaac1eaf7019eddd97fc877
SHA1: 4997c055b582c71cbb3863c9523986b51a339797
SHA256: 72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60
Tags: exenjratRAT
Infos:

Most interesting Screenshot:

Detection

njRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Drops fake system file at system root drive
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Creates autorun.inf (USB autostart)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack Malware Configuration Extractor: Njrat {"Host": "System.exe", "Port": "13467", "Mutex": "9156ea52d892a71a5c604fdd4141de82", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "im523", "Network Seprator": "|'|'|"}
Multi AV Scanner detection for submitted file
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Virustotal: Detection: 77% Perma Link
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Metadefender: Detection: 85% Perma Link
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe ReversingLabs: Detection: 95%
Yara detected Njrat
Source: Yara match File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
Source: Yara match File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
Source: Yara match File source: C:\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED
Antivirus / Scanner detection for submitted sample
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: 0.tcp.ngrok.io Virustotal: Detection: 13% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\System.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\svchost.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Metadefender: Detection: 85% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\System.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Roaming\System.exe Metadefender: Detection: 85% Perma Link
Source: C:\Users\user\AppData\Roaming\System.exe ReversingLabs: Detection: 95%
Source: C:\svchost.exe Virustotal: Detection: 77% Perma Link
Source: C:\svchost.exe Metadefender: Detection: 85% Perma Link
Source: C:\svchost.exe ReversingLabs: Detection: 95%
Machine Learning detection for sample
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\System.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Joe Sandbox ML: detected
Source: C:\svchost.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 9.0.System.exe.f50000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 4.0.System.exe.c70000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 4.2.System.exe.c70000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 4.0.System.exe.c70000.2.unpack Avira: Label: TR/ATRAPS.Gen
Source: 4.0.System.exe.c70000.3.unpack Avira: Label: TR/ATRAPS.Gen
Source: 12.0.System.exe.510000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 4.0.System.exe.c70000.1.unpack Avira: Label: TR/ATRAPS.Gen
Source: 11.0.System.exe.50000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 12.2.System.exe.510000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 11.2.System.exe.50000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 9.2.System.exe.f50000.0.unpack Avira: Label: TR/ATRAPS.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading:

barindex
Creates autorun.inf (USB autostart)
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\autorun.inf Jump to behavior
May infect USB drives
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Binary or memory string: [autorun]
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Binary or memory string: autorun.inf
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp Binary or memory string: autorun.inf
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp Binary or memory string: [autorun]
Source: System.exe Binary or memory string: [autorun]
Source: System.exe Binary or memory string: autorun.inf
Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp Binary or memory string: autorun.inf
Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp Binary or memory string: [autorun]
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: System.exe Binary or memory string: [autorun]
Source: System.exe Binary or memory string: autorun.inf
Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp Binary or memory string: autorun.inf
Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp Binary or memory string: [autorun]
Source: System.exe Binary or memory string: autorun.inf
Source: System.exe Binary or memory string: [autorun]
Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp Binary or memory string: autorun.inf
Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp Binary or memory string: [autorun]
Source: System.exe Binary or memory string: autorun.inf
Source: System.exe Binary or memory string: [autorun]
Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp Binary or memory string: autorun.inf
Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp Binary or memory string: [autorun]
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Binary or memory string: autorun.inf
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Binary or memory string: [autorun]
Source: System.exe.0.dr Binary or memory string: autorun.inf
Source: System.exe.0.dr Binary or memory string: [autorun]
Source: autorun.inf.4.dr Binary or memory string: [autorun]
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr Binary or memory string: autorun.inf
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr Binary or memory string: [autorun]
Source: svchost.exe.4.dr Binary or memory string: autorun.inf
Source: svchost.exe.4.dr Binary or memory string: [autorun]

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49753 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49754 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49755 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49758 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49759 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49760 -> 3.13.191.225:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49761 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49762 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49763 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49765 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49767 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49770 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49771 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49773 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49778 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49799 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49803 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49813 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49816 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49818 -> 3.134.125.175:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49819 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49820 -> 3.17.7.232:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49821 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49822 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49823 -> 3.134.125.175:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49825 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49826 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49840 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49851 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49852 -> 3.134.125.175:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49857 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49858 -> 3.134.125.175:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49859 -> 3.13.191.225:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49860 -> 3.13.191.225:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49861 -> 3.134.125.175:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49862 -> 3.14.182.203:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49864 -> 3.134.125.175:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49865 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49866 -> 3.22.30.40:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49867 -> 3.13.191.225:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49868 -> 3.13.191.225:13467
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49869 -> 3.22.30.40:13467
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 3.134.125.175 ports 1,3,4,6,7,13467
Source: global traffic TCP traffic: 3.17.7.232 ports 1,3,4,6,7,13467
Source: global traffic TCP traffic: 3.22.30.40 ports 1,3,4,6,7,13467
Source: global traffic TCP traffic: 3.14.182.203 ports 1,3,4,6,7,13467
Source: global traffic TCP traffic: 3.13.191.225 ports 1,3,4,6,7,13467
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: System.exe
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.134.125.175 3.134.125.175
Source: Joe Sandbox View IP Address: 3.17.7.232 3.17.7.232
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 3.17.7.232:13467
Source: global traffic TCP traffic: 192.168.2.3:49759 -> 3.14.182.203:13467
Source: global traffic TCP traffic: 192.168.2.3:49760 -> 3.13.191.225:13467
Source: global traffic TCP traffic: 192.168.2.3:49765 -> 3.22.30.40:13467
Source: global traffic TCP traffic: 192.168.2.3:49818 -> 3.134.125.175:13467
Source: System.exe, System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, System.exe.0.dr, 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, svchost.exe.4.dr String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: unknown DNS traffic detected: queries for: 0.tcp.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs .Net Code: VKCodeToUnicode
Source: System.exe.0.dr, kl.cs .Net Code: VKCodeToUnicode
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs .Net Code: VKCodeToUnicode
Source: svchost.exe.4.dr, kl.cs .Net Code: VKCodeToUnicode
Source: 4.0.System.exe.c70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 4.2.System.exe.c70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 4.0.System.exe.c70000.2.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 4.0.System.exe.c70000.3.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 4.0.System.exe.c70000.1.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 9.0.System.exe.f50000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 9.2.System.exe.f50000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 11.0.System.exe.50000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 11.2.System.exe.50000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 12.0.System.exe.510000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 12.2.System.exe.510000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Creates a DirectInput object (often for capturing keystrokes)
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319389313.0000000000E8B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
Source: Yara match File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
Source: Yara match File source: C:\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: 01 00 00 00 Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\svchost.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Uses 32bit PE files
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\svchost.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Detected potential crypto function
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Code function: 0_2_00846B5E 0_2_00846B5E
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 4_2_00C76B5E 4_2_00C76B5E
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 9_2_00F56B5E 9_2_00F56B5E
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 11_2_00056B5E 11_2_00056B5E
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 12_2_00516B5E 12_2_00516B5E
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 4_2_057E026A NtQuerySystemInformation, 4_2_057E026A
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 4_2_057E0032 NtSetInformationProcess, 4_2_057E0032
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 4_2_057E022F NtQuerySystemInformation, 4_2_057E022F
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 4_2_057E0007 NtSetInformationProcess, 4_2_057E0007
Sample file is different than original file name gathered from version info
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319389313.0000000000E8B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Virustotal: Detection: 77%
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Metadefender: Detection: 85%
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe File read: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Jump to behavior
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe "C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe"
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe"
Source: C:\Users\user\AppData\Roaming\System.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
Source: unknown Process created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe File created: C:\Users\user\AppData\Roaming\System.exe Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@42/6
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_01
Source: C:\Users\user\AppData\Roaming\System.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: System.exe.0.dr, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: svchost.exe.4.dr, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.System.exe.c70000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.System.exe.c70000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.System.exe.c70000.2.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.System.exe.c70000.3.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.System.exe.c70000.1.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.System.exe.f50000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.System.exe.f50000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.System.exe.50000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.System.exe.50000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.System.exe.510000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.System.exe.510000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 9_2_016126B0 push edi; ret 9_2_016126C2
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 11_2_009226B0 push edi; ret 11_2_009226C2
Source: C:\Users\user\AppData\Roaming\System.exe Code function: 12_2_00E126B0 push edi; ret 12_2_00E126C2

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe File created: C:\Users\user\AppData\Roaming\System.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\svchost.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Jump to dropped file
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\System.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe\:Zone.Identifier:$DATA Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Roaming\System.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe TID: 7004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe TID: 4192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe TID: 5528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe TID: 404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\System.exe Window / User API: threadDelayed 4306 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: netsh.exe, 00000006.00000002.342892015.0000000000CC8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\System.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: System.exe.0.dr, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: System.exe.0.dr, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: svchost.exe.4.dr, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: svchost.exe.4.dr, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 4.0.System.exe.c70000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.0.System.exe.c70000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 4.2.System.exe.c70000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.2.System.exe.c70000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 4.0.System.exe.c70000.2.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.0.System.exe.c70000.2.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 4.0.System.exe.c70000.3.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.0.System.exe.c70000.3.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 4.0.System.exe.c70000.1.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 4.0.System.exe.c70000.1.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 9.0.System.exe.f50000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 9.0.System.exe.f50000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 9.2.System.exe.f50000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 9.2.System.exe.f50000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 11.0.System.exe.50000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.0.System.exe.50000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 11.2.System.exe.50000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.2.System.exe.50000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 12.0.System.exe.510000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 12.0.System.exe.510000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 12.2.System.exe.510000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 12.2.System.exe.510000.0.unpack, kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe Process created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" Jump to behavior
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmp Binary or memory string: program managerH
Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmp Binary or memory string: RhProgram Manager
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp Binary or memory string: Program Managerraq(
Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp Binary or memory string: Program Manager|9
Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\System.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Roaming\System.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
Modifies the windows firewall
Source: C:\Users\user\AppData\Roaming\System.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE

Stealing of Sensitive Information:

barindex
Yara detected Njrat
Source: Yara match File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
Source: Yara match File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
Source: Yara match File source: C:\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

Remote Access Functionality:

barindex
Detected njRat
Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs .Net Code: njRat config detected
Source: System.exe.0.dr, OK.cs .Net Code: njRat config detected
Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs .Net Code: njRat config detected
Source: svchost.exe.4.dr, OK.cs .Net Code: njRat config detected
Source: 4.0.System.exe.c70000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 4.2.System.exe.c70000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 4.0.System.exe.c70000.2.unpack, OK.cs .Net Code: njRat config detected
Source: 4.0.System.exe.c70000.3.unpack, OK.cs .Net Code: njRat config detected
Source: 4.0.System.exe.c70000.1.unpack, OK.cs .Net Code: njRat config detected
Source: 9.0.System.exe.f50000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 9.2.System.exe.f50000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 11.0.System.exe.50000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 11.2.System.exe.50000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 12.0.System.exe.510000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 12.2.System.exe.510000.0.unpack, OK.cs .Net Code: njRat config detected
Yara detected Njrat
Source: Yara match File source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
Source: Yara match File source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
Source: Yara match File source: C:\svchost.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553248 Sample: 72CA3E2F8479A075C8E089F543F... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 41 0.tcp.ngrok.io 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 15 other signatures 2->55 9 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe 1 6 2->9         started        12 System.exe 3 2->12         started        14 System.exe 2 2->14         started        16 System.exe 2 2->16         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\System.exe, PE32 9->35 dropped 37 C:\Users\user\...\System.exe:Zone.Identifier, ASCII 9->37 dropped 39 72CA3E2F8479A075C8...F868D66D327.exe.log, ASCII 9->39 dropped 18 System.exe 2 11 9->18         started        process6 dnsIp7 43 3.13.191.225, 13467, 49760, 49859 AMAZON-02US United States 18->43 45 3.134.125.175, 13467, 49818, 49823 AMAZON-02US United States 18->45 47 4 other IPs or domains 18->47 27 C:\svchost.exe, PE32 18->27 dropped 29 C:\...\9156ea52d892a71a5c604fdd4141de82.exe, PE32 18->29 dropped 31 C:\svchost.exe:Zone.Identifier, ASCII 18->31 dropped 33 2 other malicious files 18->33 dropped 57 Antivirus detection for dropped file 18->57 59 Multi AV Scanner detection for dropped file 18->59 61 Protects its processes via BreakOnTermination flag 18->61 63 7 other signatures 18->63 23 netsh.exe 1 3 18->23         started        file8 signatures9 process10 process11 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.134.125.175
 unknown United States
16509 AMAZON-02US true
3.17.7.232
 0.tcp.ngrok.io United States
16509 AMAZON-02US true
3.22.30.40
 unknown United States
16509 AMAZON-02US true
3.14.182.203
 unknown United States
16509 AMAZON-02US true
3.13.191.225
 unknown United States
16509 AMAZON-02US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
0.tcp.ngrok.io 3.17.7.232 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
System.exe true
  • Avira URL Cloud: safe
 unknown