|
5F2000
|
unkown
|
page readonly
|
 |
|
|
| Name: |
00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process new
|
| Regiontype: |
unkown
|
| Protect: |
page readonly
|
| Base address: |
5F2000
|
| Size: |
53248
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected Njrat |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Yara signature match |
System Summary |
|
|
|
3C01000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3641803759.0000000003C01000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
3C01000
|
| Size: |
24576
|
|
|
796000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638421174.0000000000796000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
796000
|
| Size: |
40960
|
|
|
4F10000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642741137.0000000004F10000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
4F10000
|
| Size: |
65536
|
|
|
B6E000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638938519.0000000000B6E000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
B6E000
|
| Size: |
8192
|
|
|
D02000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639396846.0000000000D02000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
D02000
|
| Size: |
4096
|
|
|
DB0000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639981340.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
DB0000
|
| Size: |
12288
|
|
|
A74000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000A74000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
A74000
|
| Size: |
184320
|
|
|
69A000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638320220.000000000069A000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
69A000
|
| Size: |
24576
|
|
|
CEC000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639305670.0000000000CEC000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CEC000
|
| Size: |
4096
|
|
|
4F69000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642793891.0000000004F69000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
4F69000
|
| Size: |
28672
|
|
|
AA9000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000AA9000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
AA9000
|
| Size: |
65536
|
|
|
EBE000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3640017495.0000000000EBE000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
EBE000
|
| Size: |
8192
|
|
|
A3E000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
A3E000
|
| Size: |
208896
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sample file is different than original file name gathered from version info |
System Summary |
|
|
|
28BE000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3640230308.00000000028BE000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
28BE000
|
| Size: |
8192
|
|
|
4E7D000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642419385.0000000004E7D000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
4E7D000
|
| Size: |
12288
|
|
|
4DD0000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642297374.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
4DD0000
|
| Size: |
12288
|
|
|
4C08000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3641860166.0000000004C08000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
4C08000
|
| Size: |
8192
|
|
|
2C52000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3640321082.0000000002C52000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
2C52000
|
| Size: |
4567040
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| May try to detect the Windows Explorer process (often used for injection) |
HIPS / PFW / Operating System Protection Evasion |
|
|
|
D6E000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639621532.0000000000D6E000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
D6E000
|
| Size: |
8192
|
|
|
4DB0000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642137464.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
4DB0000
|
| Size: |
65536
|
|
|
4F00000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
4F00000
|
| Size: |
8192
|
|
|
BE7000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638970891.0000000000BE7000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
BE7000
|
| Size: |
4096
|
|
|
D80000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639647681.0000000000D80000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
D80000
|
| Size: |
4096
|
|
|
4F20000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642770774.0000000004F20000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
4F20000
|
| Size: |
4096
|
|
|
BF0000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639053815.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
BF0000
|
| Size: |
16384
|
|
|
30AE000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3640321082.00000000030AE000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
30AE000
|
| Size: |
1118208
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| May try to detect the Windows Explorer process (often used for injection) |
HIPS / PFW / Operating System Protection Evasion |
|
|
|
D1B000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639489882.0000000000D1B000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
D1B000
|
| Size: |
4096
|
|
|
600000
|
unkown
|
page readonly
|
|
|
|
| Name: |
00000000.00000000.1175163455.0000000000600000.00000002.00000001.01000000.00000003.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process new
|
| Regiontype: |
unkown
|
| Protect: |
page readonly
|
| Base address: |
600000
|
| Size: |
4096
|
|
|
D17000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639469773.0000000000D17000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
D17000
|
| Size: |
4096
|
|
|
A00000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638456349.0000000000A00000.00000004.00000020.00040000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
A00000
|
| Size: |
4096
|
|
|
4EFC000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642589590.0000000004EFC000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
4EFC000
|
| Size: |
16384
|
|
|
2C01000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3640321082.0000000002C01000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
2C01000
|
| Size: |
212992
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) |
Malware Analysis System Evasion |
Security Software Discovery
|
| AV process strings found (often used to terminate AV products) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
|
|
|
D20000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639525187.0000000000D20000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
D20000
|
| Size: |
12288
|
|
|
4FD0000
|
unclassified section
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642895678.0000000004FD0000.00000004.10000000.00040000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
unclassified section
|
| Protect: |
page read and write
|
| Base address: |
4FD0000
|
| Size: |
4096
|
|
|
BE0000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638970891.0000000000BE0000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
BE0000
|
| Size: |
8192
|
|
|
D12000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639449150.0000000000D12000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
D12000
|
| Size: |
4096
|
|
|
CE2000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639238352.0000000000CE2000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CE2000
|
| Size: |
20480
|
|
|
CD2000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639127475.0000000000CD2000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CD2000
|
| Size: |
4096
|
|
|
5F0000
|
unkown
|
page readonly
|
|
|
|
| Name: |
00000000.00000000.1175151435.00000000005F0000.00000002.00000001.01000000.00000003.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process new
|
| Regiontype: |
unkown
|
| Protect: |
page readonly
|
| Base address: |
5F0000
|
| Size: |
4096
|
|
|
DA0000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639887200.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
DA0000
|
| Size: |
12288
|
|
|
4DC0000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3642224196.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
4DC0000
|
| Size: |
12288
|
|
|
A10000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638494160.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
A10000
|
| Size: |
8192
|
|
|
4EBC000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642512733.0000000004EBC000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
4EBC000
|
| Size: |
16384
|
|
|
4D9F000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3642071243.0000000004D9F000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
4D9F000
|
| Size: |
4096
|
|
|
A30000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000A30000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
A30000
|
| Size: |
36864
|
|
|
D0A000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639420587.0000000000D0A000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
D0A000
|
| Size: |
4096
|
|
|
CEA000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639271490.0000000000CEA000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CEA000
|
| Size: |
4096
|
|
|
A3A000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
A3A000
|
| Size: |
8192
|
|
|
AC0000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
AC0000
|
| Size: |
143360
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) |
Malware Analysis System Evasion |
Security Software Discovery
|
| URLs found in memory or binary data |
Networking |
|
|
|
BF5000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639053815.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
BF5000
|
| Size: |
12288
|
|
|
CE0000
|
trusted library allocation
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3639200490.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page read and write
|
| Base address: |
CE0000
|
| Size: |
8192
|
|
|
CFA000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639376810.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CFA000
|
| Size: |
4096
|
|
|
AA4000
|
heap
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3638559250.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page read and write
|
| Base address: |
AA4000
|
| Size: |
16384
|
|
|
CF7000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639336306.0000000000CF7000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CF7000
|
| Size: |
4096
|
|
|
11A0000
|
heap
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3640098028.00000000011A0000.00000040.00000020.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
heap
|
| Protect: |
page execute and read and write
|
| Base address: |
11A0000
|
| Size: |
4096
|
|
|
118E000
|
stack
|
page read and write
|
|
|
|
| Name: |
00000000.00000002.3640057535.000000000118E000.00000004.00000010.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
stack
|
| Protect: |
page read and write
|
| Base address: |
118E000
|
| Size: |
8192
|
|
|
CDA000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
| Name: |
00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp
|
| TargetID: |
0
|
| Dumpstage: |
process exit
|
| Regiontype: |
trusted library allocation
|
| Protect: |
page execute and read and write
|
| Base address: |
CDA000
|
| Size: |
8192
|
|
