njrat | 3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

General

Target

3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3.vbs
Size

188KB
MD5

3b293d74827ff906a5ca3a4e4439e98f
SHA1

76d14a79e2be1543ab79873e7b87f0deee8aad17
SHA256

3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3
SHA512

255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

Score

10^/10

njrat |erica|evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

|Erica|

C2

drpc.duckdns.org:1414

Mutex

48d74fcafbfa01ee33743b0d0ea39495

Attributes

reg_key
48d74fcafbfa01ee33743b0d0ea39495
splitter
TOP

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

WScript.exeWSCRIPT.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.vbs.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.vbs.vbs	WSCRIPT.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeWSCRIPT.EXE

pid process

1232 regsvr32.exe
608 WSCRIPT.EXE

pid	process
1232	regsvr32.exe
608	WSCRIPT.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWSCRIPT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\google.vbs = "WScript.exe //b //e:vbscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	WSCRIPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\google.vbs = "WScript.exe //b //e:vbscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.vbs\""	WSCRIPT.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

WSCRIPT.EXE

description pid process target process

PID 608 set thread context of 1320 608 WSCRIPT.EXE MSBUILD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 608 set thread context of 1320	608	WSCRIPT.EXE	MSBUILD.EXE

Modifies registry class 8 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\google.vbs.BIN"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\DynamicWrapperX\CLSID	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

MSBUILD.EXE

description	pid	process
Token: SeDebugPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE
Token: 33	1320	MSBUILD.EXE
Token: SeIncBasePriorityPrivilege	1320	MSBUILD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exeWSCRIPT.EXEMSBUILD.EXE

description	pid	process	target process
PID 1276 wrote to memory of 608	1276	WScript.exe	WSCRIPT.EXE
PID 1276 wrote to memory of 608	1276	WScript.exe	WSCRIPT.EXE
PID 1276 wrote to memory of 608	1276	WScript.exe	WSCRIPT.EXE
PID 1276 wrote to memory of 608	1276	WScript.exe	WSCRIPT.EXE
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1232	608	WSCRIPT.EXE	regsvr32.exe
PID 608 wrote to memory of 1320	608	WSCRIPT.EXE	MSBUILD.EXE
PID 608 wrote to memory of 1320	608	WSCRIPT.EXE	MSBUILD.EXE
PID 608 wrote to memory of 1320	608	WSCRIPT.EXE	MSBUILD.EXE
PID 608 wrote to memory of 1320	608	WSCRIPT.EXE	MSBUILD.EXE
PID 608 wrote to memory of 1320	608	WSCRIPT.EXE	MSBUILD.EXE
PID 608 wrote to memory of 1320	608	WSCRIPT.EXE	MSBUILD.EXE
PID 1320 wrote to memory of 844	1320	MSBUILD.EXE	netsh.exe
PID 1320 wrote to memory of 844	1320	MSBUILD.EXE	netsh.exe
PID 1320 wrote to memory of 844	1320	MSBUILD.EXE	netsh.exe
PID 1320 wrote to memory of 844	1320	MSBUILD.EXE	netsh.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3.vbs"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SYSWOW64\WSCRIPT.EXE
  "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3.vbs"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\google.vbs.BIN"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1232
- - C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE
    "C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE" "MSBUILD.EXE" ENABLE
      4⤵
      PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\google.vbs

MD5
3b293d74827ff906a5ca3a4e4439e98f

SHA1
76d14a79e2be1543ab79873e7b87f0deee8aad17

SHA256
3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

SHA512
255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.vbs.BIN

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.vbs.vbs

MD5
3b293d74827ff906a5ca3a4e4439e98f

SHA1
76d14a79e2be1543ab79873e7b87f0deee8aad17

SHA256
3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

SHA512
255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

Download Submit
\Users\Admin\AppData\Local\Temp\google.vbs.BIN

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
\Users\Admin\AppData\Local\Temp\google.vbs.BIN

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
memory/608-71-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/608-79-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1320-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-83-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads