Analysis
-
max time kernel
299s -
max time network
350s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 02:16
Static task
static1
Behavioral task
behavioral1
Sample
456-Invoice.js
Resource
win7v20210408
General
-
Target
456-Invoice.js
-
Size
166KB
-
MD5
c000b245272ad81b74958689e4b3352e
-
SHA1
ce74042c88b852c6a5b00186096f0ce42afc38b6
-
SHA256
f19462db16c63e8c26095f8ee024340649e0b2cb26a9ba9d08691b6d01e4f2be
-
SHA512
f9b3f811a4be2bee356d9265d15a20a00d41b4a5933d8ab5adcf683ce23cab0ac0b6a7cbdbc97abb509385082aa038d11f1b4f8e502f61e6a42535bbd4df155c
Malware Config
Extracted
njrat
0.7.3
SUCCEED
194.5.97.156:7654
Client.exe
-
reg_key
Client.exe
-
splitter
0149266241@@@
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 36 IoCs
Processes:
wscript.exeflow pid process 5 1244 wscript.exe 7 1244 wscript.exe 8 1244 wscript.exe 10 1244 wscript.exe 11 1244 wscript.exe 12 1244 wscript.exe 14 1244 wscript.exe 15 1244 wscript.exe 16 1244 wscript.exe 18 1244 wscript.exe 19 1244 wscript.exe 20 1244 wscript.exe 22 1244 wscript.exe 23 1244 wscript.exe 24 1244 wscript.exe 26 1244 wscript.exe 27 1244 wscript.exe 28 1244 wscript.exe 30 1244 wscript.exe 31 1244 wscript.exe 32 1244 wscript.exe 34 1244 wscript.exe 35 1244 wscript.exe 36 1244 wscript.exe 38 1244 wscript.exe 39 1244 wscript.exe 40 1244 wscript.exe 42 1244 wscript.exe 43 1244 wscript.exe 44 1244 wscript.exe 46 1244 wscript.exe 47 1244 wscript.exe 48 1244 wscript.exe 50 1244 wscript.exe 51 1244 wscript.exe 52 1244 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
New Client.exepid process 1576 New Client.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgrKtkfSUZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgrKtkfSUZ.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\YgrKtkfSUZ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
New Client.exedescription pid process Token: SeDebugPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe Token: SeIncBasePriorityPrivilege 1576 New Client.exe Token: 33 1576 New Client.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeNew Client.exedescription pid process target process PID 1940 wrote to memory of 1244 1940 wscript.exe wscript.exe PID 1940 wrote to memory of 1244 1940 wscript.exe wscript.exe PID 1940 wrote to memory of 1244 1940 wscript.exe wscript.exe PID 1940 wrote to memory of 1576 1940 wscript.exe New Client.exe PID 1940 wrote to memory of 1576 1940 wscript.exe New Client.exe PID 1940 wrote to memory of 1576 1940 wscript.exe New Client.exe PID 1940 wrote to memory of 1576 1940 wscript.exe New Client.exe PID 1576 wrote to memory of 364 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 364 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 364 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 364 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 1952 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 1952 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 1952 1576 New Client.exe schtasks.exe PID 1576 wrote to memory of 1952 1576 New Client.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\456-Invoice.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {E26D955A-383B-4BBD-9FFE-010DEF0C7E78} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New Client.exeMD5
4c1c9fdf28215ae2f0f681349b66bbff
SHA18ab23d0ee7a361c8f29622fa9ba05f6644e24e9a
SHA25650842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a
SHA512f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5
-
C:\Users\Admin\AppData\Local\Temp\New Client.exeMD5
4c1c9fdf28215ae2f0f681349b66bbff
SHA18ab23d0ee7a361c8f29622fa9ba05f6644e24e9a
SHA25650842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a
SHA512f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5
-
C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.jsMD5
4e1188211bc0a1f728e5a97cf47a7105
SHA1740914054d0824fbacf494855eb9121355a49740
SHA256ada3ac15b6fd893f1f8b1a4ad1f6d4cbc86c566c0d5a639c4dda15f4727f2cee
SHA512b37d9c26c44b45e89a4732439480bf6d09e292fb85ef054a4a591cb7228eeef0f8595aeaf12824771c033297ea218996d6e4c9006972c15a58d02b89365b2a14
-
memory/364-66-0x0000000000000000-mapping.dmp
-
memory/1244-59-0x0000000000000000-mapping.dmp
-
memory/1576-61-0x0000000000000000-mapping.dmp
-
memory/1576-64-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/1576-65-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/1576-68-0x0000000002161000-0x0000000002162000-memory.dmpFilesize
4KB
-
memory/1952-67-0x0000000000000000-mapping.dmp