Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
File 2.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File 2.js
Resource
win10v2004-20220414-en
General
-
Target
File 2.js
-
Size
51KB
-
MD5
199c37a6953be6415f368cafa8525133
-
SHA1
c28cfdd4d9f80ba3873a134f9f21815e0b6540bc
-
SHA256
cfe9dc76a15fae96808fa814135113d763fcf418aae410cea34580b15fb00edd
-
SHA512
4cb1beada3ec189732331926b5db39d51654dbea5ae9bfe764d63636adf788312c2be7513c40186480d4140882b0a251dda292e7437aa3fc8ca437508ba7c044
Malware Config
Extracted
njrat
0.7d
HacKed By MustyMoney
104.168.7.110:5552
72f64d4ec723544c65ffca1cd7ba4ee6
-
reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 60 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 3 2892 wscript.exe 4 4440 wscript.exe 5 2892 wscript.exe 8 404 wscript.exe 10 2892 wscript.exe 11 4440 wscript.exe 12 404 wscript.exe 13 2892 wscript.exe 22 2892 wscript.exe 23 4440 wscript.exe 24 404 wscript.exe 26 2892 wscript.exe 41 4440 wscript.exe 42 2892 wscript.exe 43 404 wscript.exe 44 2892 wscript.exe 45 4440 wscript.exe 46 404 wscript.exe 47 2892 wscript.exe 50 2892 wscript.exe 51 4440 wscript.exe 52 404 wscript.exe 53 2892 wscript.exe 54 4440 wscript.exe 55 2892 wscript.exe 56 404 wscript.exe 57 2892 wscript.exe 60 4440 wscript.exe 61 404 wscript.exe 62 2892 wscript.exe 63 2892 wscript.exe 64 4440 wscript.exe 65 404 wscript.exe 66 2892 wscript.exe 67 2892 wscript.exe 69 4440 wscript.exe 70 404 wscript.exe 71 2892 wscript.exe 72 4440 wscript.exe 73 2892 wscript.exe 74 404 wscript.exe 75 2892 wscript.exe 76 4440 wscript.exe 77 404 wscript.exe 78 2892 wscript.exe 79 2892 wscript.exe 80 4440 wscript.exe 81 404 wscript.exe 82 2892 wscript.exe 83 4440 wscript.exe 84 2892 wscript.exe 85 404 wscript.exe 86 2892 wscript.exe 87 4440 wscript.exe 88 404 wscript.exe 89 2892 wscript.exe 90 2892 wscript.exe 91 4440 wscript.exe 92 404 wscript.exe 93 2892 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1744 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 6 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oCrgSTqqkH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oCrgSTqqkH.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exewscript.exeServer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\oCrgSTqqkH.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NYWMTCgCLF.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Server.exepid process 1744 Server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe Token: 33 1744 Server.exe Token: SeIncBasePriorityPrivilege 1744 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.exewscript.exeWScript.exeServer.exedescription pid process target process PID 1152 wrote to memory of 4440 1152 wscript.exe wscript.exe PID 1152 wrote to memory of 4440 1152 wscript.exe wscript.exe PID 1152 wrote to memory of 2892 1152 wscript.exe wscript.exe PID 1152 wrote to memory of 2892 1152 wscript.exe wscript.exe PID 2892 wrote to memory of 4964 2892 wscript.exe WScript.exe PID 2892 wrote to memory of 4964 2892 wscript.exe WScript.exe PID 4964 wrote to memory of 404 4964 WScript.exe wscript.exe PID 4964 wrote to memory of 404 4964 WScript.exe wscript.exe PID 4964 wrote to memory of 1744 4964 WScript.exe Server.exe PID 4964 wrote to memory of 1744 4964 WScript.exe Server.exe PID 1744 wrote to memory of 1460 1744 Server.exe netsh.exe PID 1744 wrote to memory of 1460 1744 Server.exe netsh.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\File 2.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oCrgSTqqkH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hwo1.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\EBVIYD~1.JS"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.js"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EBVIYD~1.JSFilesize
69KB
MD51e7844cfd3891b2b8ccc1ff0c4f005f7
SHA18d2c5ed0869da9b4146605a9b01bc9e65ff89970
SHA256feb5d1bed4c5358d93a65af508a67c777761405f5491426ee3a80b2b1d21d8b0
SHA512e826c9c8db9471afc4cbad7437ec59bae342a5107fb8e0f46a34d82440e7d2623ca9950cab872ead2a098c69b2fc0b7e7d0f9925b07927bdc0193c49bab22d9e
-
C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.jsFilesize
10KB
MD5fd447e6df0608645bb7c39365c6df8ce
SHA113a8b0a5ab75f3552188aa409ed072d3ca800fa2
SHA256c72a3508ab2c2f766178f28b2f69130ac67219210537a7bef3db71f4a8fdbda8
SHA5125bcc990d0c7c10ae97d6a5067c3cee7473f248e844acd44e0c86c43ad41aa79f446cd7ccbd9b8dea4fd415fceb76bb48e86cb4138045b81c5a4506703c8201ed
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\hwo1.vbsFilesize
13KB
MD50fa22927ed90ae0bfbc0fbc979d566ff
SHA1c6562835566afe7eded525f68a0cfdf6f82b4a0a
SHA2569ec1848a60e25d9bf6f2d3dd2e607e269a259925b143ea20ee7dfbe58f7152e7
SHA5128692696d841a50b811e21384ee040cbeb478cfe5a2f093ed7b6d1869ae910c590ad940771d9f95a76880f4c25d637d4f29fbe14e2c16b6a424e54a48812b7203
-
C:\Users\Admin\AppData\Roaming\oCrgSTqqkH.jsFilesize
10KB
MD52a51c61b3c71bf82152d9bf999f6d17a
SHA17797cb26749b99890927c177fbbf7fd82e65c28a
SHA256f730012c1425907bc39cc75f7992ab2246f6b560c48e3fccf68f848989708837
SHA512aab4bee725b1d776aa07cad3cbe628c1d4069540f1ee8d941cc3fc641f9fa220479b203a83338b99f6d00487f9cb4854184b1f05749dbcc8eff2f5909c8c190f
-
memory/404-139-0x0000000000000000-mapping.dmp
-
memory/1460-146-0x0000000000000000-mapping.dmp
-
memory/1744-141-0x0000000000000000-mapping.dmp
-
memory/1744-144-0x0000000000240000-0x000000000024C000-memory.dmpFilesize
48KB
-
memory/1744-145-0x00007FFAF5EB0000-0x00007FFAF6971000-memory.dmpFilesize
10.8MB
-
memory/1744-147-0x00007FFAF5EB0000-0x00007FFAF6971000-memory.dmpFilesize
10.8MB
-
memory/2892-134-0x0000000000000000-mapping.dmp
-
memory/4440-133-0x0000000000000000-mapping.dmp
-
memory/4964-137-0x0000000000000000-mapping.dmp