Analysis
-
max time kernel
154s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 12:26
Static task
static1
Behavioral task
behavioral1
Sample
MgBMOjoQWC_hwstub.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MgBMOjoQWC_hwstub.js
Resource
win10v2004-20220414-en
General
-
Target
MgBMOjoQWC_hwstub.js
-
Size
51KB
-
MD5
0c7657296a9994e6446ff500bc1b76c3
-
SHA1
bfdc4584c89faa7f3356549494331ccc8497ab33
-
SHA256
692a8be00d69e5d0782766f270046aa871fea041e63d125da9e1252b135623f3
-
SHA512
8549c221d3316d3a57feb5c4bdca51ae504f5479e22b83150a9eca82fb0b5f8ef8b2aa134d2b96c5bef42a170cc7c4dc8099606f71fabcd490732f7b8926213d
Malware Config
Extracted
njrat
0.7d
HacKed By MustyMoney
104.168.7.110:5552
72f64d4ec723544c65ffca1cd7ba4ee6
-
reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 50 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 6 1364 wscript.exe 7 952 wscript.exe 8 952 wscript.exe 11 892 wscript.exe 13 952 wscript.exe 14 892 wscript.exe 15 1364 wscript.exe 18 952 wscript.exe 19 892 wscript.exe 20 1364 wscript.exe 23 952 wscript.exe 24 892 wscript.exe 26 1364 wscript.exe 27 952 wscript.exe 29 952 wscript.exe 30 892 wscript.exe 31 1364 wscript.exe 33 952 wscript.exe 35 892 wscript.exe 37 1364 wscript.exe 38 952 wscript.exe 42 952 wscript.exe 43 1364 wscript.exe 45 892 wscript.exe 46 952 wscript.exe 48 1364 wscript.exe 49 892 wscript.exe 51 952 wscript.exe 52 952 wscript.exe 53 892 wscript.exe 55 1364 wscript.exe 59 952 wscript.exe 60 892 wscript.exe 61 952 wscript.exe 63 1364 wscript.exe 64 952 wscript.exe 66 892 wscript.exe 68 1364 wscript.exe 69 952 wscript.exe 71 952 wscript.exe 72 892 wscript.exe 73 1364 wscript.exe 77 952 wscript.exe 78 892 wscript.exe 80 1364 wscript.exe 82 952 wscript.exe 83 952 wscript.exe 84 892 wscript.exe 86 1364 wscript.exe 88 952 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1340 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 6 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkJOOSCzhz.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xkJOOSCzhz.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exeServer.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NYWMTCgCLF.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\xkJOOSCzhz.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Server.exepid process 1340 Server.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe Token: 33 1340 Server.exe Token: SeIncBasePriorityPrivilege 1340 Server.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exewscript.exeWScript.exeServer.exedescription pid process target process PID 1356 wrote to memory of 1364 1356 wscript.exe wscript.exe PID 1356 wrote to memory of 1364 1356 wscript.exe wscript.exe PID 1356 wrote to memory of 1364 1356 wscript.exe wscript.exe PID 1356 wrote to memory of 952 1356 wscript.exe wscript.exe PID 1356 wrote to memory of 952 1356 wscript.exe wscript.exe PID 1356 wrote to memory of 952 1356 wscript.exe wscript.exe PID 952 wrote to memory of 452 952 wscript.exe WScript.exe PID 952 wrote to memory of 452 952 wscript.exe WScript.exe PID 952 wrote to memory of 452 952 wscript.exe WScript.exe PID 452 wrote to memory of 892 452 WScript.exe wscript.exe PID 452 wrote to memory of 892 452 WScript.exe wscript.exe PID 452 wrote to memory of 892 452 WScript.exe wscript.exe PID 452 wrote to memory of 1340 452 WScript.exe Server.exe PID 452 wrote to memory of 1340 452 WScript.exe Server.exe PID 452 wrote to memory of 1340 452 WScript.exe Server.exe PID 1340 wrote to memory of 680 1340 Server.exe netsh.exe PID 1340 wrote to memory of 680 1340 Server.exe netsh.exe PID 1340 wrote to memory of 680 1340 Server.exe netsh.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\MgBMOjoQWC_hwstub.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hwo1.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\EBVIYD~1.JS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.js"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xkJOOSCzhz.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EBVIYD~1.JSFilesize
69KB
MD51e7844cfd3891b2b8ccc1ff0c4f005f7
SHA18d2c5ed0869da9b4146605a9b01bc9e65ff89970
SHA256feb5d1bed4c5358d93a65af508a67c777761405f5491426ee3a80b2b1d21d8b0
SHA512e826c9c8db9471afc4cbad7437ec59bae342a5107fb8e0f46a34d82440e7d2623ca9950cab872ead2a098c69b2fc0b7e7d0f9925b07927bdc0193c49bab22d9e
-
C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.jsFilesize
10KB
MD5fd447e6df0608645bb7c39365c6df8ce
SHA113a8b0a5ab75f3552188aa409ed072d3ca800fa2
SHA256c72a3508ab2c2f766178f28b2f69130ac67219210537a7bef3db71f4a8fdbda8
SHA5125bcc990d0c7c10ae97d6a5067c3cee7473f248e844acd44e0c86c43ad41aa79f446cd7ccbd9b8dea4fd415fceb76bb48e86cb4138045b81c5a4506703c8201ed
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\hwo1.vbsFilesize
13KB
MD50fa22927ed90ae0bfbc0fbc979d566ff
SHA1c6562835566afe7eded525f68a0cfdf6f82b4a0a
SHA2569ec1848a60e25d9bf6f2d3dd2e607e269a259925b143ea20ee7dfbe58f7152e7
SHA5128692696d841a50b811e21384ee040cbeb478cfe5a2f093ed7b6d1869ae910c590ad940771d9f95a76880f4c25d637d4f29fbe14e2c16b6a424e54a48812b7203
-
C:\Users\Admin\AppData\Roaming\xkJOOSCzhz.jsFilesize
10KB
MD5dffdb0fc6b534c658575b72bfd4826ae
SHA1d6cc3039c628b6d9e8a137933fa953e785a9ef0b
SHA2567e4297ebdde73b716fafb213529d79007e6825b786a471ca7e5a52024fddb939
SHA512c9f4be68cc09ad027a65745233363940ed7ee7b82ecf919096336ddfec90932ad707ec30089e40f8e2918df2b14f400c96d3d854c0d89ae56897e06e849637ae
-
memory/452-61-0x0000000000000000-mapping.dmp
-
memory/680-72-0x0000000000000000-mapping.dmp
-
memory/892-64-0x0000000000000000-mapping.dmp
-
memory/952-56-0x0000000000000000-mapping.dmp
-
memory/1340-67-0x0000000000000000-mapping.dmp
-
memory/1340-70-0x0000000000CF0000-0x0000000000CFC000-memory.dmpFilesize
48KB
-
memory/1356-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/1364-55-0x0000000000000000-mapping.dmp